Re: debsecan with squeeze-lts
On Tue, Jun 03, 2014 at 12:14:13PM +0100, Steven Chamberlain wrote:
> Hi,
>
> I noticed an interesting problem that squeeze-lts creates for debsecan.
>
> debsecan (at least the version in squeeze) doesn't seem to know about
> libgnutls26 version 2.8.6-1+squeeze4, or even that it has the fixes from
> versions 2.8.6-1+squeeze3 and prior.
>
> It means that CVE-2014-3466 will remain as "Vulnerabilities without
> updates", and even old vulnerabilities are listed as affecting the
> installed libgnutls26 again, in the "New security updates" category.
>
> Is the security tracker expected to have data for squeeze-lts at some
> point, or should squeeze-lts users discontinue using debsecan?
The gnutls fix wasn't added to the security tracker, I'll fix that later.
I have updated the wiki documentation with all the steps needed to release
an update for squeeze-lts (starting with "Preparing fixed packages for
squeeze-lts"):
https://wiki.debian.org/LTS/Development
Cheers,
Moritz
Reply to: