[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package removal request from backport ?

Thanks for your answers.

According to [1], there are several (25 to be precise) CVEs which might affect trafficserver in oldoldstable-backports.

A quick look at [2] shows a CVE score up to 7.8

Since stretch-backport is "discontinued" (what ever it could means: is it frozen but still available ? Has it been put offline ?), as Paul reminded, I'm fine to let the package as is.

But, since I'm considering backporting trafficserver 9.1, I'd like to get a clear understanding of the right procedure to contact backports release managers.

Jean Baptiste

[1]: https://security-tracker.debian.org/tracker/status/release/oldoldstable-backports [2]: https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-19990/Apache-Traffic-Server.html
[3]: https://tracker.debian.org/pkg/trafficserver

On 5/21/22 22:57, Jonathan Hutchins wrote:
I would expect that a package for stretch would not be maintained, but that wouldn't be a reason to remove it unless there was a known exploitable vulnerability.  Is there a security problem with the package?  Which one?

On 2022-05-21 15:48, Jean Baptiste Favre wrote:
I figured out one of my package in still in stretch-backport.
Of course, it's not maintained anymore and I'd like to get it removed.

Usually, I report a bug against ftp.debian.org. I know this is not
what I'm supposed to do for backport, but I didn't find any procedure
on backports.debian.org.

Who am I supposed to contact ?

Jean Baptiste

Reply to: