Hello, Thanks for your answers.According to [1], there are several (25 to be precise) CVEs which might affect trafficserver in oldoldstable-backports.
A quick look at [2] shows a CVE score up to 7.8Since stretch-backport is "discontinued" (what ever it could means: is it frozen but still available ? Has it been put offline ?), as Paul reminded, I'm fine to let the package as is.
But, since I'm considering backporting trafficserver 9.1, I'd like to get a clear understanding of the right procedure to contact backports release managers.
Best, Jean Baptiste[1]: https://security-tracker.debian.org/tracker/status/release/oldoldstable-backports [2]: https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-19990/Apache-Traffic-Server.html
[3]: https://tracker.debian.org/pkg/trafficserver On 5/21/22 22:57, Jonathan Hutchins wrote:
I would expect that a package for stretch would not be maintained, but that wouldn't be a reason to remove it unless there was a known exploitable vulnerability. Is there a security problem with the package? Which one?On 2022-05-21 15:48, Jean Baptiste Favre wrote:Hello, I figured out one of my package in still in stretch-backport. Of course, it's not maintained anymore and I'd like to get it removed. Usually, I report a bug against ftp.debian.org. I know this is not what I'm supposed to do for backport, but I didn't find any procedure on backports.debian.org. Who am I supposed to contact ? Best, Jean Baptiste