/[secure-testing]/data/lts-needed.txt
ViewVC logotype

Contents of /data/lts-needed.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 28567 - (show annotations) (download)
Tue Sep 2 18:02:05 2014 UTC (10 hours, 38 minutes ago) by alteholz
File MIME type: text/plain
File size: 3347 byte(s)
eglibc done
1 A squeeze-lts security update is needed for the following source packages.
2
3 The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
4 https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
5 when working on an update.
6
7 To pick an issue, simply add your name behind it.
8
9 --
10 commons-beanutils
11 --
12 evince
13 --
14 fex (non-free)
15 --
16 gnupg2
17 Please talk to the maintainer Eric, as he most likely would do the upload himself
18 --
19 graphicsmagick
20 --
21 icinga
22 --
23 libextlib-ruby
24 --
25 libjson-ruby
26 --
27 libphp-snoopy
28 --
29 librack-ruby
30 --
31 libspring-2.5-java
32 --
33 libtasn1-3
34 --
35 libwpd (Holger Levsen)
36 --
37 libxml-security-java (Thorsten Alteholz)
38 --
39 libxstream-java (Holger Levsen, help welcome)
40 --
41 linux-2.6
42 --
43 nfs-utils
44 --
45 nss
46 --
47 openjdk-6
48 --
49 php5 (Thorsten Alteholz)
50 --
51 python-django (Thorsten Alteholz)
52 --
53 qt4-x11
54 --
55 roundup
56 --
57 ruby (several versions)
58 --
59 squid3
60 --
61 tomcat6 (Holger Levsen)
62 --
63 xlhtml
64 --
65 zendframework
66 --
67
68
69
70
71
72
73 How is this list being updated?
74 -------------------------------
75
76 Have a look at the distro view on squeeze:
77 https://security-tracker.debian.org/tracker/status/release/oldstable
78
79 It contains all security issues which are unfixed and which haven't been tagged
80 as <no-dsa>. These are security issues which have a minor impact and aren't worthy
81 an update on their own (e.g. if a security issue can only be exploited in rare
82 circumstances or if it's only of minor impact). Examples:
83 * A vulnerability in a server which is only exploitable in a rare or inherently
84 insecure setup
85 * Local temp races allowing DoS
86 * Minor denial of service issues
87
88 It might also be the case that a package is heavily used in stable, but has no
89 reverse deps in oldstable and was introduced on a rather experimental basis.
90
91 no-dsa doesn't mean that a security issue will remain unfixed. For standard stable
92 and oldstable in Debian there are regular point updates which incorporate such
93 minor fixes. There are no such point updates for Debian LTS, though. But if e.g.
94 there's a minor issue in a package, it can be postponed using no-dsa and if there's
95 later a more severe issue the issue formerly tagged as no-dsa can be fixed along.
96
97 Keep in mind that every update may potentially introduce a regression and that
98 every update involves work on the admin rolling out the updated package!
99
100
101 So, if there's a security issue in a package listed at
102 https://security-tracker.debian.org/tracker/status/release/oldstable which is not
103 yet present in this file, so should do the following:
104
105 I. Is the vulnerability present in the version in squeeze-lts? Often the vulnerable
106 code has been introduced later. Don't blindly follow upstream advisories! Example:
107 Software project X is currently at release 2.1.2 and provides updates for 2.0.x and
108 2.1.x while squeeze-lts is at 1.8.x. Always check the code unless upstream explicity
109 tells that e.g. the issue was introduced in 2.0 with git commit foobar.
110
111 II. If the vulnerable code is present, does the vulnerability warrant a security
112 update? If not, it can be tagged no-dsa. Issues tagged as no-dsa in stable might
113 qualify as such, but you're free to use your own judgement.
114
115 III. If the code is present and the issue is severe enough and not yet present
116 in this file add it (preserving the alphabetical order). Even better, add yourself
117 as the person working on a fixed package!
118
119

  ViewVC Help
Powered by ViewVC 1.1.5