Hi, On Fri, Mar 01, 2024 at 09:11:34AM +0100, Richard van den Berg wrote: > Dear security team, > > May I ask why CVE-2023-41105 was marked as "<no-dsa> (Minor issue)"[1] ? > > As the CVE description says there are plausible cases where this can lead to > security issues. > > There is a backport available for python 3.11 and it seems most other > distros have patched this CVE.
The current open issues for python3.11 in bookworm do not warrant a DSA on it's own, but that does not mean that they cannot be fixed (though someone needs to step up and do the work). The current three open CVEs CVE-2023-24329, CVE-2023-40217 and CVE-2023-41105 could be batched together and fixed in a point release (there is one upcoming on 2024-04-06, whith the window for uploads closing the preceeding weekend). Regards, Salvatore