Hi Sergey, On Sun, Jun 09, 2019 at 10:59:06AM +0300, Sergey B Kirpichev wrote: > severity 927775 important > thanks > > No reasons, so revert back severity.
This is from my point of view not okay, and I will try to explain, why I think so. I filled the bug on 2019-04-23 with severity important for two issues of src:monit which got already upsteam fixes back then. See security-tracker references for fixing commits. The bug remained unaswered and buster is getting more and more into shape for beeing released. After some time passed, on 2019-06-03, another Debian security team member (Moritz Muehlenhoff <j...@debian.org>) raised the severity to a release critical value. The issue should be fixed for buster itself, withouth that we need to release buster with those two CVE open for monit from the beginning. After this severity raise, though on the same date, a new upstream version (5.25.3) was uploaded, while we are since a while in deep freeze in preparation of buster. See [1] to see what is acceptable from Release Team point of view at this point. While exceptions are done on case to case basis. The changes between the two releases contain more than only those two fixes. Why was this uploaded as new upstream version in the first place during the deep freeze and not via targeted fixes? Could you please work out with the Release team via an unblock request if they would wave through the version or a sheduled a targeted fix via testing-proposed-updates? Regards, Salvatore [1] https://release.debian.org/buster/freeze_policy.html
