data/CVE/list

@@ -1625,6 +1625,8 @@ CVE-2020-7107 (The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS vi
 CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.p ...)
 	{DLA-2069-1}
 	- cacti <unfixed>
+	[buster] - cacti <postponed> (can be fixed along with more important issues)
+	[stretch] - cacti <postponed> (can be fixed along with more important issues)
 	NOTE: https://github.com/Cacti/cacti/issues/3191
 	NOTE: https://github.com/Cacti/cacti/commit/4cbb045e03ee20a2bd09094a201a925fbb8a39d9
 	NOTE: https://github.com/Cacti/cacti/commit/47a000b5aba4af16967e249b25f25397506e3464

data/dla-needed.txt

@@ -11,6 +11,10 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
 --
 cacti (Chris Lamb)
+  NOTE: CVE-2020-7106: one more followup fix is coming (currently PRed by
+  NOTE: @smutranchi), we should probably wait for the fix to stabilize &
+  NOTE: potential regression reports to come up before releasing a regression
+  NOTE: update (2020-01-23, hle)
 --
 clamav (Hugo Lefeuvre)
   NOTE: 20200111: waiting for 0.102.1 to enter stretch/buster.