Rafał Lichwała wrote: > > On 29.01.2025 2:12 PM, Dan Ritter wrote: > > The notes say: > > > > [bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not > > producing binary packages) > > > > In other words, there's no point in fixing it because Debian > > doesn't build the vulnerable binary component. > > > > Very low priority. > > Could you please drop a link to those notes?
It's in the links that you sent. > If CVSS is "critical" and Debian tracking system says "bookworm - > vulnerable", so why it has low priority? > > Maybe I just don;t understand the process of this "Debian doesn't build the > vulnerable binary component", so please clarify in more details. > > > CVSS are often bogus. > > Hmmm... I'm not sure what you mean. All security announcements in DSAs are > referring to CVSS, so... what's the source of such opinion? Most recently: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/ > You say: minor, minor, it appears to only exist in Android > > Really? :-) I read the notes. You sent the links, you should read them. -dsr-
