On Wed, Dec 16, 2020 at 10:28:47AM +0200, Adrian Bunk wrote: > On Wed, Dec 16, 2020 at 07:36:19AM +0100, Ola Lundqvist wrote: > > Hi LTS team > > > > I have checked two of the pluxml issues > > CVE-2020-18184 > > This vulnerability is questioned upstream. > >... > > The question is how this should be marked: > > - no-dsa minor issue? > > - ignored? > >... > > "not a vulnerability" or "no security impact" is usually marked > "unimportant", see e.g. > https://security-tracker.debian.org/tracker/source-package/python3.7 > > For pluxml the same CVEs are "vulnerable" in stable+unstable and with RC > bug #973382 open, the security team should know best how to handle this > based on your analysis.
When filing bugs in the BTS, the impact isn't always obvious and when in doubt filed with high severity to be on the safe side (maintainer can always downgrade anyway). If these are non issues, it's usually best to reach out to upstream and get the CVE disputed or rejected, but it seems noone replied to Seth Arnold's question in issue 320 since October, so that's probably in vain, so feel free to mark these as <unimportant>. Cheers, Moritz