Hello Team ,
Could you please provide us the deadline when we can can get the fixed
packages for below packages :

CVE-2021-31879
CVE-2021-38371
CVE-2016-2781

I searched on your portal https://security-tracker.debian.org/tracker/CVE-2021-31879 , where i did
not get the updated packages . Kindly do the needful ASAP.

Thanks and Regards
Sujeet Roy

<div dir="ltr">Hello Team , <div>Could you please provide us the deadline when we can can get the fixed packages for below packages :</div><div><br></div><div>CVE-2021-31879</div><div>CVE-2021-38371<br></div><div> CVE-2016-2781<br></div><div><br></div><

I searched on your portal <a href="https://security-tracker.debian.org/tracker/CVE-2021-31879">https://security-tracker.debian.org/tracker/CVE-2021-31879</a> , where i did not get the updated packages . Kindly do the needful ASAP.</div><div><br></
<div>Thanks and Regards </div><div> Sujeet Roy<br></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi

On Tue, Jun 07, 2022 at 03:11:12PM +0530, Sujeet Roy wrote:

Hello Team ,
Could you please provide us the deadline when we can can get the fixed packages for below packages :

CVE-2021-31879
CVE-2021-38371
CVE-2016-2781

I searched on your portal https://security-tracker.debian.org/tracker/CVE-2021-31879 , where i did
not get the updated packages . Kindly do the needful ASAP.

All mentioned CVEs above do not warrant an update via the security
update for the affected packages. Updates for those issues might be
issued via so called point releases (once they are fixed first in the
unstable suite), or then included in a future update of the packages.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sujeet Roy <sujeet.roy@optimalvirtualemployee.com> writes:

Could you please provide us the deadline when we can can get the fixed packages for below packages :

CVE-2021-31879
CVE-2021-38371
CVE-2016-2781

I believe this is answered on https://www.debian.org/security/faq#cvedsa
which is pointed to from both https://www.debian.org/security/ and https://www.debian.org/doc/manuals/securing-debian-manual/

Let me copy the answer here for your convenience:

Q: Does Debian issue a DSA for every CVE id?

A: The Debian security team keeps track of every issued CVE identifier,
connect it to the relevant Debian package and assess its impact in a
Debian context - the fact that something is assigned a CVE id does
not necessarily imply that the issue is a serious threat to a Debian
system. This information is tracked in the Debian Security Tracker
and for the issues that are considered serious a Debian Security
Advisory will be issued.

Low-impact issues not qualifying for a DSA can be fixed in the next
release of Debian, in a point release of the current stable or
oldstable distributions, or are included in a DSA when that is being
issued for a more serious vulnerability.


If you read the notes made by the security team at

https://security-tracker.debian.org/tracker/CVE-2021-31879
https://security-tracker.debian.org/tracker/CVE-2021-38371
https://security-tracker.debian.org/tracker/CVE-2016-2781

then you'll see that all of these are identified as "Minor issue". And
there are even more hints on when you can expect a fix on two of them:

wget <postponed> (Minor issue; can be fixed in next update)
exim4 <postponed> (Minor issue, revisit when fixed upstream)

Given that those answers are already available to you, I don't think
it's appropriate to demand further details or timelines.

You are of course free to disagree with the security team on the
importance of these bugs. But then you should rather discuss that in
the bug reports linked from the security-tracker, providing your
arguments. And maybe even suggest a fix if you have one.

Repeated questions answered by the FAQ is just unnecessary noise.


Bjørn (not part of Debian or the security team)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)