Decide what to do with the <no-dsa> CVEs

This is more a reminder and placeholder for the discussion of this topic. After the discussion the documnetation should be updated to formulate one rule.

There was a discussion about the CVE-issues, which are having tag.

no-dsa means that it is not urgent to fix this issue through the security queue, but to use proposed-updates instead. So the issue is not quite dangerous. The corresponding maintainer should take care to upload a package into the p-u queue and file the corresponding bug.

For (E)LTS releases we do not have releases, so basically we should fix all CVEs also.

Before doing that it makes sense to fix such an issues in stable/oldstable releasea, because if it is fixed in o-o-stable and not fixed in newer releases, users will get a vulnerable package after the distribution upgrade, which is not quite good.