/[secure-testing]/data/lts-needed.txt
ViewVC logotype

Contents of /data/lts-needed.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 28000 - (show annotations) (download)
Wed Jul 30 17:36:20 2014 UTC (3 hours, 38 minutes ago) by odyx
File MIME type: text/plain
File size: 3630 byte(s)
Reserve cups update
1 A squeeze-lts security update is needed for the following source packages.
2
3 The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
4 https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
5 when working on an update.
6
7 To pick an issue, simply add your name behind it.
8
9 --
10 acpi-support (Raphael Geissert)
11 --
12 cacti (Paul Gevers)
13 --
14 commons-beanutils
15 --
16 cups (OdyX)
17 --
18 evince
19 CVE-2011-0433
20 --
21 fex (non-free)
22 --
23 file (Holger Levsen)
24 --
25 gnupg2
26 NOTE: please talk to the maintainer Eric, as he most likely would do the upload himself
27 --
28 graphicsmagick
29 --
30 icinga
31 --
32 libapache-mod-security
33 --
34 libextlib-ruby
35 --
36 libjson-ruby
37 --
38 libphp-snoopy
39 --
40 librack-ruby
41 --
42 libspring-2.5-java
43 --
44 libtasn1-3
45 CVE-2014-3467
46 CVE-2014-3468
47 CVE-2014-3469
48 --
49 libwpd
50 --
51 libxml-security-java
52 --
53 libxstream-java
54 --
55 linux-2.6
56 --
57 munin (Christoph Biedl + h01ger)
58 --
59 nfs-utils
60 --
61 nss (Raphael Geissert)
62 --
63 openjdk-6
64 --
65 openssl
66 --
67 polarssl
68 NOTE: will need additional fix for #738854
69 --
70 poppler (Raphael Geissert)
71 --
72 python2.6 (Raphael Geissert)
73 --
74 qt4-x11
75 --
76 roundup
77 --
78 ruby (several versions)
79 --
80 sendmail (Thorsten Alteholz)
81 CVE-2014-3956 (minor issue)
82 --
83 tomcat6
84 --
85 xlhtml
86 --
87 zendframework
88 --
89
90
91
92
93
94
95 How is this list being updated?
96 -------------------------------
97
98 Have a look at the distro view on squeeze:
99 https://security-tracker.debian.org/tracker/status/release/oldstable
100
101 It contains all security issues which are unfixed and which haven't been tagged
102 as <no-dsa>. These are security issues which have a minor impact and aren't worthy
103 an update on their own (e.g. if a security issue can only be exploited in rare
104 circumstances or if it's only of minor impact). Examples:
105 * A vulnerability in a server which is only exploitable in a rare or inherently
106 insecure setup
107 * Local temp races allowing DoS
108 * Minor denial of service issues
109
110 It might also be the case that a package is heavily used in stable, but has no
111 reverse deps in oldstable and was introduced on a rather experimental basis.
112
113 no-dsa doesn't mean that a security issue will remain unfixed. For standard stable
114 and oldstable in Debian there are regular point updates which incorporate such
115 minor fixes. There are no such point updates for Debian LTS, though. But if e.g.
116 there's a minor issue in a package, it can be postponed using no-dsa and if there's
117 later a more severe issue the issue formerly tagged as no-dsa can be fixed along.
118
119 Keep in mind that every update may potentially introduce a regression and that
120 every update involves work on the admin rolling out the updated package!
121
122
123 So, if there's a security issue in a package listed at
124 https://security-tracker.debian.org/tracker/status/release/oldstable which is not
125 yet present in this file, so should do the following:
126
127 I. Is the vulnerability present in the version in squeeze-lts? Often the vulnerable
128 code has been introduced later. Don't blindly follow upstream advisories! Example:
129 Software project X is currently at release 2.1.2 and provides updates for 2.0.x and
130 2.1.x while squeeze-lts is at 1.8.x. Always check the code unless upstream explicity
131 tells that e.g. the issue was introduced in 2.0 with git commit foobar.
132
133 II. If the vulnerable code is present, does the vulnerability warrant a security
134 update? If not, it can be tagged no-dsa. Issues tagged as no-dsa in stable might
135 qualify as such, but you're free to use your own judgement.
136
137 III. If the code is present and the issue is severe enough and not yet present
138 in this file add it (preserving the alphabetical order). Even better, add yourself
139 as the person working on a fixed package!
140
141

  ViewVC Help
Powered by ViewVC 1.1.5