Hello!

My name is Hadas, I'm in the Snyk Security Group. I've been in contact with
you a while back regarding the `no-dsa` field and its different tags.

I just want to further confirm if our understanding of the usage of the
various terms (`no-dsa`, `ignored`, `postponed`, "Minor issue") is correct:

1. From this <https://wiki.debian.org/LTS/Development#:~:text=%22no%2Ddsa%22%20is,the%20victim%27s%20infrastructure.>
documentation
it seems that "Minor issue" should not be used for drawing conclusions on
the severity of the vulnerability, but from this <https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory:~:text=Sometimes%20an%20issue%20might%20not%20warrant%20an%20(immediate)%20security%20advisory%2C%20for%20example%20if%20its%20severity%20is%20minor.%20When%
20that%27s%20the%20case%2C%20they%20are%20marked%20with%20a%20distribution%20tag%2C%20the%20%3Cno%2Ddsa%3E%20state%20and%20an%20explanation.>
documentation
it does seem like the severity might mean "minor" in these cases. Could you please clarify that?

2. In our previous conversation there was a suggestion only to use the `ignored` and `postponed` tags to understand the priority of the
vulnerability.
I do see that there are certain vulnerabilities, for example CVE-2022-45198 <https://security-tracker.debian.org/tracker/CVE-2022-45198> in Buster,
that are only marked with "Minor issue" in the `no-dsa` field, and don't
have either of the `ignored` or `postponed` tags. Could you please help us understand what we should do in such cases? What does the "Minor issue"
suggest here?


Thank you for the help,
Hadas

Hadas Bloom
Senior Security Analyst




 
<div dir="ltr">Hello!<div><br></div><div>My name is Hadas, I&#39;m in the Snyk Security Group. I&#39;ve been in contact with you a while back regarding the `no-dsa` field and its different tags.</div><div><br></div><div>I just want to further confirm if
our understanding of the usage of the various terms (`no-dsa`, `ignored`, `postponed`, &quot;Minor issue&quot;) is correct:</div><div><br></div><div>1. From <a href="https://wiki.debian.org/LTS/Development#:~:text=%22no%2Ddsa%22%20is,the%20victim%27s%
20infrastructure." target="_blank">this</a> documentation it seems that &quot;Minor issue&quot; should not be used for drawing conclusions on the severity of the vulnerability, but from <a href="https://security-team.debian.org/security_tracker.html#
issues-not-warranting-a-security-advisory:~:text=Sometimes%20an%20issue%20might%20not%20warrant%20an%20(immediate)%20security%20advisory%2C%20for%20example%20if%20its%20severity%20is%20minor.%20When%20that%27s%20the%20case%2C%20they%20are%20marked%20with%
20a%20distribution%20tag%2C%20the%20%3Cno%2Ddsa%3E%20state%20and%20an%20explanation." target="_blank">this</a> documentation it does seem like the severity might mean &quot;minor&quot; in these cases. Could you please clarify that?</div><div><br></div><

2. In our previous conversation there was a suggestion only to use the `ignored` and `postponed` tags to understand the priority of the vulnerability.</div><div>I do see that there are certain vulnerabilities, for example <a href="https://security-

tracker.debian.org/tracker/CVE-2022-45198" target="_blank">CVE-2022-45198</a> in Buster, that are only marked with &quot;Minor issue&quot; in the `no-dsa` field, and don&#39;t have either of the `ignored` or `postponed` tags. Could you please help us
understand what we should do in such cases? What does the &quot;Minor issue&quot; suggest here?<br></div><div><br></div><div><br></div><div>Thank you for the help,</div><div>Hadas</div><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-
smartmail="gmail_signature"><table cellpadding="0" cellspacing="0" border="0" style="font-family: sans-serif; box-sizing: initial; max-width: 580px; color: #363636; border-collapse: collapse; line-height: 1.5;">
<tr>
<td valign="top">
<table width="500" cellpadding="0" cellspacing="0" border="0" style="font-family: sans-serif; border-collapse: collapse; color: #323232; width:500px; line-height: 16px;">
<tr>
<td valign="top" width="102" style="padding-right:12px; border-right: 2px solid #9897a6;">
<p style="margin: 0.75pt; line-height: 0px;">
<a href="https://snyk.io/" target="_blank">
<img width="100" height="158" src="https://smart.snyk.io/v2/imagebucket/snyk.io/logo.png" alt="snyk" style="border: 0; display: block; border-radius: 0px;">
</a>
</p>
</td>
<td valign="middle" width="380" style="padding-left:18px;">
<table cellpadding="0" cellspacing="0" border="0" width="380" style="font-family: sans-serif; border-collapse: collapse; color: #323232; width:380px; line-height:18px;">
<tr>
<td valign="top">
<p style="margin: 0.75pt; color: #000001; font-size: 16px; font-family: Arial, sans-serif;font-weight:300;line-height:18px;"> Hadas Bloom </p>
</td>
</tr>
<tr>
<td valign="top" style="padding: 2px 0;">
<p style="margin: 0.75pt;font-size:14px; font-family: Arial, sans-serif;color: #000001;line-height:18px;font-weight:300;">
<span>Senior Security Analyst </span>
<span>|</span>
<a href="https://snyk.io/" target="_blank" style="font-weight:normal;color:#2358c4;text-decoration:underline;">Snyk</a>
</p>
</td>
</tr>
<tr>
<td valign="top" style="padding-top:4px;">
<p style="margin: 0.75pt; font-size: 13px; font-family: Arial, sans-serif;">
<a href="mailto:hadas.bloom@snyk.io" style="text-decoration: none; color:#2358c4;">hadas.bloom@snyk.io</a>
</p>
</td>
</tr>

<tr>
<td valign="top" style="padding-top:6px;">
<p style="margin: 0.75pt; margin-top: 4pt; font-size: 12px; font-family: Arial, sans-serif;">
<span style="color: #666666;">Snyk Israel Ltd: 515326122 <br>Corporate Office:<br>156 Menachem Begin, Tel Aviv, Israel
</span>
</p>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p style="margin: 0.75pt; margin-top: 5pt; font-size: 11px; font-family: Arial, sans-serif; color: #666666;">

This email (including any attachments) is for the sole use of the intended recipient and may contain confidential information which may be protected by legal privilege. If you are not the intended recipient, or the employee or agent responsible for
delivering it to the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this communication and/or its content is strictly prohibited. If you are not the intended recipient, please immediately notify us by
reply email or by telephone, delete this email and destroy any copies. Thank you.

</p></div></div>
 

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

You may want to read this thread: https://lists.debian.org/debian-security/2021/05/msg00010.html https://lists.debian.org/debian-security/2021/05/msg00012.html

I'd suggest you also explain your context, you seem to use the Debian
tracker to trigger some action on your part, while the triage is meant
to guide the Debian Security / LTS Teams' actions only, and is not
particularly fine-grained.

Cheers!
Sylvain Beucler
Debian LTS Team

On 21/11/2022 11:01, Hadas Bloom wrote:

My name is Hadas, I'm in the Snyk Security Group. I've been in contact
with you a while back regarding the `no-dsa` field and its different tags.

I just want to further confirm if our understanding of the usage of the various terms (`no-dsa`, `ignored`, `postponed`, "Minor issue") is correct:

1. From this <https://wiki.debian.org/LTS/Development#:~:text=%22no%2Ddsa%22%20is,the%20victim%27s%20infrastructure.> documentation it seems that "Minor issue" should not be used for drawing conclusions on the severity of the vulnerability, but from this <https://

security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory:~:text=Sometimes%20an%20issue%20might%20not%20warrant%20an%20(immediate)%20security%20advisory%2C%20for%20example%20if%20its%20severity%20is%20minor.%20When%20that%
27s%20the%20case%2C%20they%20are%20marked%20with%20a%20distribution%20tag%2C%20the%20%3Cno%2Ddsa%3E%20state%20and%20an%20explanation.> documentation it does seem like the severity might mean "minor" in these cases. Could you please clarify that?

2. In our previous conversation there was a suggestion only to use the `ignored` and `postponed` tags to understand the priority of the vulnerability.
I do see that there are certain vulnerabilities, for example
CVE-2022-45198 <https://security-tracker.debian.org/tracker/CVE-2022-45198> in Buster,
that are only marked with "Minor issue" in the `no-dsa` field, and don't
have either of the `ignored` or `postponed` tags. Could you please help
us understand what we should do in such cases? What does the "Minor
issue" suggest here?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)