Hi Anton and Utkarsh If you think we should support the package I'll add it to dla-needed. From the description it looks like one can trigger a denial of service without being authenticated. That sounds pretty severe to me.
But I'm definitely not an elog expert. I'll add a note that it should be investigated further. Cheers // Ola On Tue, 17 May 2022 at 15:39, Anton Gladky <gladky.an...@gmail.com> wrote: > I agree with Utkarsh, Even one CVE should be > fixed if there are no objective reasons not to do it. > > Yes, if it is minor, it can be postponed, but not longer > over a reasonable amount of time. > > Regards > > Anton > > Am Di., 17. Mai 2022 um 14:28 Uhr schrieb Utkarsh Gupta > <guptautkarsh2...@gmail.com>: > > > > Hi Ola, > > > > On Tue, May 17, 2022 at 12:35 PM Ola Lundqvist <o...@inguza.com> wrote: > > > While triaging today I noticed this rather old CVE. The elog package > > > is clearly vulnerable (at least when looking through the source code). > > > However I noticed that elog is removed (exists in buster and bullseye > > > though) and it has a very low popcon score. > > > > > > Is it worth fixing? > > > > I think this is a "<postponed> (Fix along with the next DLA)" > > candidate. It doesn't appear to be severe to warrant a DLA > > independently (unless I've overlooked something here). > > > > > If not, we should say that this package is unsupported. > > > > I don't think so. The only open CVE has a fix present. We should only > > mark something as unsupported when there's a solid reason to, for > > instance, the number of CVEs are too much with no or little > > help/cooperation from upstream, et al, et al. In this case, I don't > > think we should mark this as EOL yet. > > > > > > - u > > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
