[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

squeeze-lts and the security tracker

On Tue, Jun 03, 2014 at 01:09:41PM +0200, Moritz Muehlenhoff wrote:
> On Tue, Jun 03, 2014 at 12:14:13PM +0100, Steven Chamberlain wrote:
> > Hi,
> > 
> > I noticed an interesting problem that squeeze-lts creates for debsecan.
> > 
> > debsecan (at least the version in squeeze) doesn't seem to know about
> > libgnutls26 version 2.8.6-1+squeeze4, or even that it has the fixes from
> > versions 2.8.6-1+squeeze3 and prior.
> > 
> > It means that CVE-2014-3466 will remain as "Vulnerabilities without
> > updates", and even old vulnerabilities are listed as affecting the
> > installed libgnutls26 again, in the "New security updates" category.
> > 
> > Is the security tracker expected to have data for squeeze-lts at some
> > point, or should squeeze-lts users discontinue using debsecan?
> The gnutls fix wasn't added to the security tracker, I'll fix that later.
> I have updated the wiki documentation with all the steps needed to release
> an update for squeeze-lts (starting with "Preparing fixed packages for 
> squeeze-lts"):
> https://wiki.debian.org/LTS/Development

There's an additional caveat which I missed so far: The Security Tracker
needs to parse the Packages file of squeeze-lts.

I'm adding Florian Weimer to CC, can you please add this to the tracker?


Reply to: