Package: security-tracker Severity: wishlist https://security-tracker.debian.org/tracker/source-package/foo shows CVEs tagged <no-dsa> as "vulnerable (no DSA)". If there's an update pending (i.e. if a CVE is listed in data/next-point-release.txt) it could instead be presented as "pending for next point release".
Cheers,
Moritz
