Re: Packages with a history of security issues and whose packaged version is not up to date
Hi Santiago,
thanks a lot for this list. As others mentioned it would be helpful to
add the maintainers to the list and I agree. ;-)
I spotted some specific packages I like to comment on (but I might
have missed others I should comment on)
Am Thu, Feb 13, 2025 at 04:21:10PM -0300 schrieb Santiago Ruano Rincón:
> num of open CVEs in sid, num of historical CVE, source name
> 2, 21, wget, (1.24.5 -> 2-latest),
We have wget and wget2 as different packages. I've fixed the watch file
of wget in Git[1]. I'll talk with the maintainer how to proceed.
> 2, 19, fis-gtm, (7.1-005 -> 7.1-006),
Its Debian Med team maintained but we somehow lost contact to upstream.
The upgrade to latest upstream should be no problem and we *assume* that
the CVEs are fixed but its not confirmed, thought.
> 0, 13, cimg, (3.5.0+dfsg -> 3.5.2),
Just building latest upstream (which should be done in any case). For
practical security issues I do not really expect severe problems even
for LTS Debian. Upstream is very responsive and might even help for
older versions.
Thanks again and I hope I did not missed anything important in this
list.
Kind regards
Andreas.
[1] https://salsa.debian.org/noel/wget/-/merge_requests/1
--
https://fam-tille.de
Reply to: