About open CVE on krb5
Hello Sam and Russ,
I was doing some CVE triaging for Squeeze LTS and CVE-2014-5353 was still
on our radar for squeeze. I looked it up and decided that it was not
severe enough to warrant preparing an update (since you need elevated
privileges of being able to set a password policity to be able to trigger
the crash, I guess you can do worse with those privileges...).
Let me know if my analysis is incorrect so that we can reconsider
preparing an update.
In fact there are multiple issues in squeeze that have been marked
as "no-dsa" (i.e. not important enough to ask members of the LTS team to
spend their time on it). But as maintainers if you want to fix those
in squeeze, you are more than welcome to do it:
See http://wiki.debian.org/LTS/Development for instructions on how to
prepare an update. That said if you prepare a fixed package, we will
gladly take care of the administrative part of the work.
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/