Re: debsecan with squeeze-lts

To: Steven Chamberlain <steven@pyro.eu.org>
Cc: debian-lts@lists.debian.org
Subject: Re: debsecan with squeeze-lts
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 3 Jun 2014 13:09:41 +0200
Message-id: <[🔎] 20140603110941.GA21022@inutil.org>
In-reply-to: <[🔎] 538DAE05.9030106@pyro.eu.org>
References: <[🔎] 538DAE05.9030106@pyro.eu.org>

On Tue, Jun 03, 2014 at 12:14:13PM +0100, Steven Chamberlain wrote:
> Hi,
> 
> I noticed an interesting problem that squeeze-lts creates for debsecan.
> 
> debsecan (at least the version in squeeze) doesn't seem to know about
> libgnutls26 version 2.8.6-1+squeeze4, or even that it has the fixes from
> versions 2.8.6-1+squeeze3 and prior.
> 
> It means that CVE-2014-3466 will remain as "Vulnerabilities without
> updates", and even old vulnerabilities are listed as affecting the
> installed libgnutls26 again, in the "New security updates" category.
> 
> Is the security tracker expected to have data for squeeze-lts at some
> point, or should squeeze-lts users discontinue using debsecan?

The gnutls fix wasn't added to the security tracker, I'll fix that later.

I have updated the wiki documentation with all the steps needed to release
an update for squeeze-lts (starting with "Preparing fixed packages for 
squeeze-lts"):
https://wiki.debian.org/LTS/Development

Cheers,
        Moritz

Reply to:

Follow-Ups:
- squeeze-lts and the security tracker
  - From: Moritz Muehlenhoff <jmm@debian.org>

References:
- debsecan with squeeze-lts
  - From: Steven Chamberlain <steven@pyro.eu.org>

Prev by Date: Re: fail2ban (0.8.4-3+squeeze2)
Next by Date: squeeze-lts and the security tracker
Previous by thread: debsecan with squeeze-lts
Next by thread: squeeze-lts and the security tracker
Index(es):
- Date
- Thread