/[secure-testing]/data/lts-needed.txt
ViewVC logotype

Contents of /data/lts-needed.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 28455 - (show annotations) (download)
Sun Aug 24 20:16:43 2014 UTC (5 days, 2 hours ago) by alteholz
File MIME type: text/plain
File size: 3337 byte(s)
add and take python-django
1 A squeeze-lts security update is needed for the following source packages.
2
3 The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
4 https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
5 when working on an update.
6
7 To pick an issue, simply add your name behind it.
8
9 --
10 commons-beanutils
11 --
12 evince
13 --
14 fex (non-free)
15 --
16 gnupg2
17 Please talk to the maintainer Eric, as he most likely would do the upload himself
18 --
19 graphicsmagick
20 --
21 icinga
22 --
23 libextlib-ruby
24 --
25 libjson-ruby
26 --
27 libphp-snoopy
28 --
29 librack-ruby
30 --
31 libspring-2.5-java
32 --
33 libtasn1-3
34 --
35 libwpd (Holger Levsen)
36 --
37 libxml-security-java (Thorsten Alteholz)
38 --
39 libxstream-java (Holger Levsen, help welcome)
40 --
41 linux-2.6
42 --
43 nfs-utils
44 --
45 nss
46 --
47 openjdk-6
48 --
49 php5 (Thorsten Alteholz)
50 --
51 python-django (Thorsten Alteholz)
52 --
53 qt4-x11
54 --
55 roundup
56 --
57 ruby (several versions)
58 --
59 tomcat6 (Holger Levsen)
60 --
61 xlhtml
62 --
63 zendframework
64 --
65
66
67
68
69
70
71 How is this list being updated?
72 -------------------------------
73
74 Have a look at the distro view on squeeze:
75 https://security-tracker.debian.org/tracker/status/release/oldstable
76
77 It contains all security issues which are unfixed and which haven't been tagged
78 as <no-dsa>. These are security issues which have a minor impact and aren't worthy
79 an update on their own (e.g. if a security issue can only be exploited in rare
80 circumstances or if it's only of minor impact). Examples:
81 * A vulnerability in a server which is only exploitable in a rare or inherently
82 insecure setup
83 * Local temp races allowing DoS
84 * Minor denial of service issues
85
86 It might also be the case that a package is heavily used in stable, but has no
87 reverse deps in oldstable and was introduced on a rather experimental basis.
88
89 no-dsa doesn't mean that a security issue will remain unfixed. For standard stable
90 and oldstable in Debian there are regular point updates which incorporate such
91 minor fixes. There are no such point updates for Debian LTS, though. But if e.g.
92 there's a minor issue in a package, it can be postponed using no-dsa and if there's
93 later a more severe issue the issue formerly tagged as no-dsa can be fixed along.
94
95 Keep in mind that every update may potentially introduce a regression and that
96 every update involves work on the admin rolling out the updated package!
97
98
99 So, if there's a security issue in a package listed at
100 https://security-tracker.debian.org/tracker/status/release/oldstable which is not
101 yet present in this file, so should do the following:
102
103 I. Is the vulnerability present in the version in squeeze-lts? Often the vulnerable
104 code has been introduced later. Don't blindly follow upstream advisories! Example:
105 Software project X is currently at release 2.1.2 and provides updates for 2.0.x and
106 2.1.x while squeeze-lts is at 1.8.x. Always check the code unless upstream explicity
107 tells that e.g. the issue was introduced in 2.0 with git commit foobar.
108
109 II. If the vulnerable code is present, does the vulnerability warrant a security
110 update? If not, it can be tagged no-dsa. Issues tagged as no-dsa in stable might
111 qualify as such, but you're free to use your own judgement.
112
113 III. If the code is present and the issue is severe enough and not yet present
114 in this file add it (preserving the alphabetical order). Even better, add yourself
115 as the person working on a fixed package!
116
117

  ViewVC Help
Powered by ViewVC 1.1.5