Hi Arnaud, On Tue, Aug 13, 2019 at 11:28:08AM +0200, Arnaud Rebillout wrote: > This is fixed in unstable. > > Question from a non-experienced DM: severity is "normal", should I > understand that this fix shouldn't be included in stable? Or should I > expect an explicit "no-dsa" tag?
The severity does indeed not need to imply that or a no-dsa necessarily. In this concrete case we have already marked the issue as no-dsa though: https://security-tracker.debian.org/tracker/CVE-2019-13509 A fix can be scheduled though via an upcoming point release. Regards, Salvatore