I should have finalized to reply on the bug in full first, apologies you now get two mails!
On Sat, Dec 11, 2021 at 08:36:11AM +0100, Salvatore Bonaccorso wrote: > The underlying bug might still be fixed at some point, there was a > similar issue in past for the NOTE part as well, which if I remember > correctly got fixed. Picking the explicit mentioned list, I would still see it usefull if the parsing is correct, but it's really a minor issue in the ned: CVE-2017-0381 > [jessie] - opus <ignored> (Minor issue, https://bugs.debian.org/851612#10) Would still be usefull if that works when displaying, because the reference hilights more detailed why the issue was ignored for the specific suite. CVE-2018-16869 > [jessie] - nettle <no-dsa> (Minor issue - > https://lists.debian.org/debian-lts/2019/03/msg00021.html) Same as above, the reference gives an additional information why in LTS context for jessie the issue can be considered minor, but not necessary as a general note for the CVE. Borderline, a NOTE could also have worked for this case I guess. CVE-2021-32686 > [stretch] - pjproject <no-dsa> (Minor issue; > https://people.debian.org/~abhijith/upload/CVE-2021-32686.patch) As for the initial mentioned CVE. I believe this does not belong to the tracker itself, but seems to be for a partial work on the package so the work is not lost when another LTS member picks up to further update pjproject and might want to include the work from abhijith. CVE-2020-28491 > [stretch] - jackson-dataformat-cbor <no-dsa> (Minor issue; > https://people.debian.org/~abhijith/CVE-2020-28491.txt) Samewise, IMHO. CVE-2008-5161 > [etch] - openssh <no-dsa> (Minor issue, see > http://www.openssh.org/txt/cbc.adv) Indeed that would have been more appropriate putting in some form in a NOTE! Regards, Salvatore
