On Tue, Nov 26, 2024 at 6:08 PM Michel Lind <michel@xxxxxxxxxxxxxxx> wrote: > > On Tue, Nov 26, 2024 at 12:11:27PM -0300, Marco Benatto wrote: > > Hello all, > > > > We recently noticed there's a couple of PRs opened to fix > > vulnerabilities in EPEL8 python-django3 with no response from the > > maintainer (CC'ed). This is an important update as it fixes 4 > > different CVEs. > > > > https://src.fedoraproject.org/rpms/python-django3/pull-request/2 > > > > I have raised a bugzilla bug asking for contact according > > https://docs.fedoraproject.org/en-US/fesco/Policy_for_nonresponsive_package_maintainers/ > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2328973 > > > > may i please have your help in contacting the maintainer? > > > That PR was never in a state where it's merge-able, FYI > > - nothing provides python3.6dist(asgiref) >= 3.3.2 needed by python3-django3-3.2.25-1.el8.noarch from @commandline > > There are also other avenues to ask for help - note that this package is > co-maintained by the EPEL Packagers SIG, and I don't see any attempt to > reach out on the epel-devel list. > > While I have the attention from someone on prod sec, could you all fix > your CVE scanners to *not* file Javascript bugs against packages that > have JS code in their source code only as part of documentation and not > in any binary packages? 90% of CVEs in my inbox are false positives > Yeah, I have a variation of this problem too. I have gotten piles of false positive CVE bugs to the point that I've started ignoring them unless someone points to me specifically about them or if I receive other intelligence indicating they are important. What pushed me over the edge was almost six months of false positive CVE bug reports a couple years ago on various packages about ffmpeg vulnerabilities that didn't apply to anything we shipped. Now, I filter them and only worry about them if I receive secondary intelligence. I know that's probably not the intended purpose here, but it's a lot of work to validate vulnerabilities and the vulnerability rate doesn't match the reported rate for me in practice. :( -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue