/[secure-testing]/data/lts-needed.txt
ViewVC logotype

Contents of /data/lts-needed.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 27918 - (show annotations) (download)
Wed Jul 23 19:12:09 2014 UTC (32 hours, 26 minutes ago) by alteholz
File MIME type: text/plain
File size: 3701 byte(s)
php5 for LTS done
1 A squeeze-lts security update is needed for the following source packages.
2
3 The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
4 https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
5 when working on an update.
6
7 To pick an issue, simply add your name behind it.
8
9 --
10 acpi-support
11 --
12 cacti (Paul Gevers)
13 --
14 commons-beanutils
15 --
16 evince
17 CVE-2011-0433
18 --
19 fail2ban (Thorsten Alteholz)
20 CVE-2009-5023 (#544232) was already solved in fail2ban (0.8.4-3+squeeze1)
21 CVE-2013-7176, CVE-2013-7177
22 --
23 fex (non-free)
24 --
25 file
26 --
27 gnupg2
28 NOTE: please talk to the maintainer Eric, as he most likely would do the upload himself
29 --
30 graphicsmagick
31 --
32 icinga
33 --
34 libapache-mod-security
35 --
36 libextlib-ruby
37 --
38 libjson-ruby
39 --
40 libphp-snoopy
41 --
42 librack-ruby
43 --
44 libspring-2.5-java
45 --
46 libtasn1-3
47 CVE-2014-3467
48 CVE-2014-3468
49 CVE-2014-3469
50 --
51 libwpd
52 --
53 libxml-security-java
54 --
55 libxstream-java
56 --
57 linux-2.6
58 --
59 munin (Christoph Biedl + h01ger)
60 --
61 nfs-utils
62 --
63 nss (Raphael Geissert)
64 --
65 openjdk-6
66 --
67 openssl
68 --
69 polarssl
70 NOTE: will need additional fix for #738854
71 --
72 poppler
73 --
74 python2.6 (Raphael Geissert)
75 --
76 qt4-x11
77 --
78 roundup
79 --
80 ruby (several versions)
81 --
82 sendmail (Thorsten Alteholz)
83 CVE-2014-3956 (minor issue)
84 --
85 tomcat6
86 --
87 xlhtml
88 --
89 zendframework
90 --
91
92
93
94
95
96
97 How is this list being updated?
98 -------------------------------
99
100 Have a look at the distro view on squeeze:
101 https://security-tracker.debian.org/tracker/status/release/oldstable
102
103 It contains all security issues which are unfixed and which haven't been tagged
104 as <no-dsa>. These are security issues which have a minor impact and aren't worthy
105 an update on their own (e.g. if a security issue can only be exploited in rare
106 circumstances or if it's only of minor impact). Examples:
107 * A vulnerability in a server which is only exploitable in a rare or inherently
108 insecure setup
109 * Local temp races allowing DoS
110 * Minor denial of service issues
111
112 It might also be the case that a package is heavily used in stable, but has no
113 reverse deps in oldstable and was introduced on a rather experimental basis.
114
115 no-dsa doesn't mean that a security issue will remain unfixed. For standard stable
116 and oldstable in Debian there are regular point updates which incorporate such
117 minor fixes. There are no such point updates for Debian LTS, though. But if e.g.
118 there's a minor issue in a package, it can be postponed using no-dsa and if there's
119 later a more severe issue the issue formerly tagged as no-dsa can be fixed along.
120
121 Keep in mind that every update may potentially introduce a regression and that
122 every update involves work on the admin rolling out the updated package!
123
124
125 So, if there's a security issue in a package listed at
126 https://security-tracker.debian.org/tracker/status/release/oldstable which is not
127 yet present in this file, so should do the following:
128
129 I. Is the vulnerability present in the version in squeeze-lts? Often the vulnerable
130 code has been introduced later. Don't blindly follow upstream advisories! Example:
131 Software project X is currently at release 2.1.2 and provides updates for 2.0.x and
132 2.1.x while squeeze-lts is at 1.8.x. Always check the code unless upstream explicity
133 tells that e.g. the issue was introduced in 2.0 with git commit foobar.
134
135 II. If the vulnerable code is present, does the vulnerability warrant a security
136 update? If not, it can be tagged no-dsa. Issues tagged as no-dsa in stable might
137 qualify as such, but you're free to use your own judgement.
138
139 III. If the code is present and the issue is severe enough and not yet present
140 in this file add it (preserving the alphabetical order). Even better, add yourself
141 as the person working on a fixed package!
142
143

  ViewVC Help
Powered by ViewVC 1.1.5