On Mon, Mar 18, 2024 at 01:01:28PM +0100, Emilio Pozuelo Monfort wrote: > On 14/03/2024 21:36, Roberto C. Sánchez wrote: > > - if a CVE is 'fixed' in LTS but 'ignored' in (old)stable, then the > > security team should be contacted to see if they would be willing to > > change to 'no-dsa' so that a point release fix can be made > > Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via point > release. The sec-team could be contacted to update that triaging, but that's > only ignored for (old)stable-security, not for (old)stable, where other > criteria applies. The reason following the ignored triaging may give some > more insight as to why it was ignored and why it may or may not make sense > to fix in a point release. > Thanks. I was not aware of this distinction.
Regards, -Roberto -- Roberto C. Sánchez
