Hi, I will leave specific comment on this to Moritz, but below a general note since this seems to be not gneerally known:
On Sat, Oct 26, 2024 at 07:46:44AM +0200, Sebastiaan Couwenberg wrote: > Control: severity -1 important > > Lowering the severity as the security-tracker marks it as a no-dsa minor > issue. A RC severity and a no-dsa classification is orthogonal. With a RC severity we make clear, this issue should be fixed for the next to be released stable release and we consider as such. With no-dsa we think that a out-of-band DSA is not needed for this, often classifying it at minor issue. There is additionally a postoponed tag, of same class when we think of higher priority or someone has already queued it. You will see DSA's for both even lower severity bugs or for RC bugs. But what should be made aware here is that not every RC issue CVE implies a DSA, or viceversa, if something is marked no-dsa in the security tracker that it is not considered RC. Regards, Salvatore
