On 29.01.2025 2:12 PM, Dan Ritter wrote:
The notes say:
[bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not
producing binary packages)
In other words, there's no point in fixing it because Debian
doesn't build the vulnerable binary component.
Very low priority.
Could you please drop a link to those notes?
If CVSS is "critical" and Debian tracking system says "bookworm -
vulnerable", so why it has low priority?
Maybe I just don;t understand the process of this "Debian doesn't build
the vulnerable binary component", so please clarify in more details.
CVSS are often bogus.
Hmmm... I'm not sure what you mean. All security announcements in DSAs
are referring to CVSS, so... what's the source of such opinion?
Similar problem in second critical on the list: package "libaom3" which is a
binary package from "aom":
https://security-tracker.debian.org/tracker/source-package/aom
It could crash on invalid input. That's minor. It could crash on
invalid input. Also minor. It could potentially be used to
execute code in the privilege of the user running the software,
which is bad, but it appears to only exist in Android, so Debian
thinks it is not interesting.
Also a bit enigmatic explanation for me...
CVSS says: critical 9.8
Debian says: yes, bookworm is vulnerable
You say: minor, minor, it appears to only exist in Android
Really? :-)
