Hi! On 10/12/22 19:38, Moritz Mühlenhoff wrote: > Source: xen > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerabilities were published for xen. > > CVE-[...] Thanks for the overview. The XAPI one indeed does not apply to src:xen.
I have a question, since the 'bug' report does not contain a question, or explicit call for action, and I have not seen it in this way before. Does explicitly opening a BTS bug mean that, like we use to call it, "these CVEs warrant a DSA", and that it is a request for an ASAP package update and preparing a security update for stable, or, is this a new thing where BTS bugs are opened for packages, just in case the maintainer did not already track security issues themselves actively? I'm just wondering... Thanks, Hans