Hi Nicholas, On Thu, Jun 27, 2024 at 06:14:20PM -0400, Nicholas D Steeves wrote: > Hi Salvatore, > > Salvatore Bonaccorso <car...@debian.org> writes: > > > On Tue, Jun 25, 2024 at 03:04:42AM +0000, Debian FTP Masters wrote: > >> org-mode (9.7.5+dfsg-1) unstable; urgency=medium > >> . > >> * New upstream release that resolves CVE-2024-39331 (Closes: #1074136). > [snip] > > > > Thanks for this upload. FYI, have uploaded some minutes ago now as > > well a corresponding version for bullseye-security to security-master. > > > > Thank you! As for bookworm, I'm unhappy with the security tracker > status of "ignored". Would you please ACK an upgrade of the empty > package's emacs dependency to ( >= emacs_fixed_version )? That way the > metadata would ensure that it's fixed. Feel free to do it yourself, if > you'd prefer, but I have not been ignoring the state of bookworm, so > want users to see "fixed", and feel safe, rather than see "ignored" and > wonder about apathy in the face of scary vulnerabilities.
I admit, the state might be confusing, but it's tracking the source package, thus ignored with the attached reason. (In fact we are pondering if we can/should introduce a substate of unfixed for such cases where no binary package are affected, we cannot use the usual unimportant here, see tracker documentation, because of the severity would affect the source package as whole). I think users are cofused about the state mostly using comvercial security scanner thinking the security-tracker exposes information about the binary packages, which is not true. Hope this clarifies things up for you? > I also received a bug report about how bookworm's org-mode-doc shadows > the docs provided by emacs-common-non-dfsg. A similar empty package, > plus ( >= emacs-common-non-dfsg ) would fix that. This indeed might go in with an upcoming point release but is out of scope for a security update. > > Looking forward to hearing what you think, > Nicholas Thanks for all your work, and regards Salvatore
