Hi, On Tue, Apr 21, 2020 at 05:22:15PM +0200, Sylvain Beucler wrote: > I contacted upstream a few days ago: > https://varnish-cache.org/lists/pipermail/varnish-misc/2020-April/026854.html > No answer yet. > > I'll probably ping the security contact (individual maintainers) in a > bit and search some more on my own. > > Failing that I'll mark the issue undetermined for 4.x.
Actually please do not mark it as undetermined in lower suites, it is meant for a broader higher level view on a CVE. undetermined is used (and this seldomly) when there is need to track a newly arised CVE where it seem sufficiently clear that it affects a specific source package but not real initial triage could be done (or other example, not sufficient information is available to start doing so), but having the advantage to have the CVE already popping up e.g. for debsecan. Other cases are when there is still not much information in general avialble like for some CVEs arising from Apple, claiming affectness of libxml2 but there is simply no information avialble what the issue is about. Now, usually if for a specific lower suite we are not able to determine it's not-affected source status, then we err on the 'safe' side and keep it affected. But it you want to have it out of your radar, mark it with the substate of no-dsa 'ignored' to not further look at the issue. Hope this helps, Regards, Salvatore