About open CVE on krb5

To: Sam Hartman <hartmans@debian.org>, Russ Allbery <rra@debian.org>
Cc: debian-lts@lists.debian.org, team@security.debian.org
Subject: About open CVE on krb5
From: Raphael Hertzog <hertzog@debian.org>
Date: Mon, 22 Dec 2014 11:21:34 +0100
Message-id: <[🔎] 20141222102134.GA27669@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Sam Hartman <hartmans@debian.org>, Russ Allbery <rra@debian.org>, debian-lts@lists.debian.org, team@security.debian.org

Hello Sam and Russ,

I was doing some CVE triaging for Squeeze LTS and CVE-2014-5353 was still
on our radar for squeeze. I looked it up and decided that it was not
severe enough to warrant preparing an update (since you need elevated
privileges of being able to set a password policity to be able to trigger
the crash, I guess you can do worse with those privileges...).

Let me know if my analysis is incorrect so that we can reconsider
preparing an update.

In fact there are multiple issues in squeeze that have been marked
as "no-dsa" (i.e. not important enough to ask members of the LTS team to
spend their time on it). But as maintainers if you want to fix those
in squeeze, you are more than welcome to do it:
https://security-tracker.debian.org/tracker/source-package/krb5

See http://wiki.debian.org/LTS/Development for instructions on how to
prepare an update. That said if you prepare a fixed package, we will
gladly take care of the administrative part of the work.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

Prev by Date: Please test xorg-server update 2:1.7.7-18+deb6u1
Next by Date: [DEBIAN-LTS] ettercap package
Previous by thread: Please test xorg-server update 2:1.7.7-18+deb6u1
Next by thread: [DEBIAN-LTS] ettercap package
Index(es):
- Date
- Thread