Hi Hans, On Tue, Oct 18, 2022 at 02:17:32PM +0200, Hans van Kranenburg wrote: > Hi! > > On 10/12/22 19:38, Moritz Mühlenhoff wrote: > > Source: xen > > X-Debbugs-CC: [email protected] > > Severity: important > > Tags: security > > > > Hi, > > > > The following vulnerabilities were published for xen. > > > > CVE-[...] > Thanks for the overview. The XAPI one indeed does not apply to src:xen. > > I have a question, since the 'bug' report does not contain a question, > or explicit call for action, and I have not seen it in this way before. > > Does explicitly opening a BTS bug mean that, like we use to call it, > "these CVEs warrant a DSA", and that it is a request for an ASAP package > update and preparing a security update for stable, or, is this a new > thing where BTS bugs are opened for packages, just in case the > maintainer did not already track security issues themselves actively?
Filling a bug or even it's severity may be completely orthogonal to the question if something warrants a DSA. In fact you will notice in the security-tracker issues triaged as no-dsa, not warranting a DSA but which could be fixed in a point release or piggy-backed as well in a later update filled as bug for tracking as well in the BTS with severity grave, indicating though that the issue should be assumed RC and be fixed in testing so that the next stable version will include a fix. Filling a bug make sure maintaines are aware of the issues. Hope this helps, Regards, Salvatore
