Bug#1036467: virtuoso-opensource: CVE-2023-31607 CVE-2023-31608 CVE-2023-31609 CVE-2023-31610 CVE-2023-31611 CVE-2023-31612 CVE-2023-31613 CVE-2023-31614 CVE-2023-31615 CVE-2023-31616 CVE-2023-31617 CVE-2023-31618 CVE-2023-31619 CVE-2023-31620 CVE-2023-31621 CVE-2023-31622 CVE-2023-31623 CVE-2023-31624 CVE-2023-31625 CVE-2023-31626 CVE-2023-31627 CVE-2023-31628 CVE-2023-31629 CVE-2023-31630 CVE-2023-31631

[Salvatore Bonaccorso]

Control: severity -1 serious

Hi Andreas,

On Thu, Mar 14, 2024 at 09:08:50PM +0100, Salvatore Bonaccorso wrote:
> Hi Andreas,
> 
> On Thu, Mar 14, 2024 at 03:22:58PM +0100, Andreas Beckmann wrote:
> > Control: severity -1 important
> > On Sun, 21 May 2023 20:43:40 +0200 Salvatore Bonaccorso <carnil at debian.org>
> > wrote:
> > > Source: virtuoso-opensource
> > > Version: 7.2.5.1+dfsg1-0.3
> > > Severity: grave
> > 
> > Downgrading the severity since all CVEs are marked as no-dsa (minor issue).
> 
> This is actually orthogonal. We might indicate with a RC severity that
> we think the next stable release should not ship with these issues
> unfixed. And in fact the package was not in testing. 
> 
> Lowering the severity makes it actually re-enter testing next (well
> actually once it is possible I guess as the migration is yet blocked).
> 
> Please reconsider the lowering of the severity with that information
> (but I will not setting it back myself but rather open it for
> discussion with the above and maybe maintainers will comment as well).

I'm reconsidering the above statement of myself.

As this in meanwhile has been fixed in experimental, and in my point
of view, it is to be considered a batch of issues which we want to see
fixed in trixie I'm going to raise the severity again to RC, to make
clear the intention.

Andreas, I hope this is still fine with you, and making clear we
should have the version in experimental to go to trixie. Again this is
orthogonal to a no-dsa marking perspective.

Regards,
Salvatore