Hi,
I think this requires a bit of coordination:
- the package is basically dead upstream, there hasn't been a fix in the
official repos, neither Debian or other distros attempted to fix them
- we do have a sponsor for LTS and ELTS/stretch, so we're paid to take
care of this package
- secteam usually sets unimportant/low/high severity, not us
So I wonder if this package is still supportable. I'd suggest you sync
with LTS Coordinator to see if we should invest time in fixing the
issues ourselves, or drop the package from debian-security-support.
If you also want to alter the severity of the fixes, I'd suggest you
coordinate with the Security Team first.
Cheers!
Sylvain
On 08/04/2024 00:06, Ola Lundqvist wrote:
Hi again
Today I looked at the freeimage package that we have in dla-needed.
My conclusion is that we have 19 CVEs postponed with motivation "revisit
when fixed upstream" and 23 CVEs that are in bullseye declared as no-dsa
with the same motivation.
Since we have this postpone decision for the 19 CVEs we should declare
the rest as postponed as well. This means that the package should go
away from dla-needed after such an operation.
Or am I reasoning in the wrong way?
In fact I think all the ones with local DoS class should be declared
"low" severity.
If I do not hear anything about this I will change this in the way I
describe above.