Hi all, I have implemented support for a new tag in the tracker called <undetermined>. The purpose of this tag is to describe the state of an issue that you are fairly certain applies to a specific package, but you have not had enough time (or there is not yet enough information) to be be confident in applying <unfixed>, fixed, or any of the other currently available statuses to the entry. This, for example, allows you to pass the burden on to the maintainer while also keeping track of it it. This is primarily intended for ill-defined, very new, and massive issues.
If you are confident that an issue is fixed in a specific version, or that it is known <unfixed>, then <undetermined> wouldn't be the right status. Please continue to use the appropriate status when you have confidence in the state. If you know that an issue is fixed, but you don't know which specific version the fix is applied, you could also use <undetermined>, but that it should not be treated as a permanent state. You should come back and determine the fixed version. This tag creates a third status in the security tracker sqlite database, called undetermined. Previously there were only two valid statuses: vulnerable and fixed. For every CVE that has a source package with an <undetermined> tag, the tracker will now state that the status is undetermined for that source package and its associated binary packages on the CVE page. It will also state that the package "may be vulnerable" for each individual release where that is appropriate. If an urgency has not yet been specified in the CVE list, an undetermined urgency is automatically assigned, it is displayed normally with the entered urgency. For debsecan, undetermined issues are presently listed without an urgency (as if there issue were unfixed with no urgency included in the CVE list). This is not ideal, and should probably be improved in the future given the time to implement that. Any questions or feedback, please let me know. Best wishes, Mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
