severity: important thanks Hi Brian,
Brian Potkin - 10.06.19, 21:32: > Severity: critical > thanks > > On Thu 25 Oct 2018 at 12:50:25 +0100, Brian Potkin wrote: > > Package: okular > > Version: 4:17.12.2-2 > > Severity: critical > > Tags: upstream security > > > > > > > > "critical" because a document should always go to where it is sent. > > Please reduce the severity if I have overestimated the security > > implications. > > > > The CUPS version being used is 2.2.8-5 and cups-browsed is not > > running. The issue was encountered while taking another look at > > #911702.> […] > > The job is always sent to a local queue when its destination > > precedes > > realq_desktop alphabetically. […] > I have retested this. There is no change on the present unstable. I > cannot see why a confidential print job going to a staff printer is > anything but a security issue. Maybe this is something that merits > the tag of normal but explanations are in short supply. Brian, before raising a bug severity to the highest severity possible, please read and understand the Debian's release team guidelines regarding release critical bugs¹ as well as the general descriptions of bug severities². A "critical" bug is a bug that introduces a (remotely exploitable) security hole on systems you install the package to. A "grave" bug is a bug that introduces a (remotely exploitable) security hole allowing access to the accounts of users using the package. None of this is the case here. If at all, the bug might be "serious" if in the maintainers opinion it would make the package unsuitable for release. Now please respect the reduced bug severity. Raising the severity again won't get you any priority handling with an already understaffed Debian Qt/KDE team. This is a community of people who are mostly doing unpaid work. Two ways to use your (and our) time in a more productive manner are: 1) Retest with Okular 18.04 from Debian experimental (in case you run buster/sid). Or start KDE Neon in a machine and try with the newest Okular available there. 2) Remind upstream in a friendly way to have a look at the issue. Once there is a patch upstream it is very likely it could be backported for buster. Maybe it would be an idea to raise the upstream bug to KDE's security team. [1] https://release.debian.org/testing/rc_policy.txt [2] https://www.debian.org/Bugs/Developer Thanks, -- Martin
