How to deal with wireshark CVE affecting Squeeze
Hello Balint,
I would like to clarify the situation of wireshark in squeeze.
In https://bugs.debian.org/774312 you requested to mark the
package as "not-supported" and this has now been done.
So in theory I should tag all CVE as "end-of-life" and they
will be hidden from our main view (and I will never again add "wireshark"
to dla-needed.txt):
https://security-tracker.debian.org/tracker/status/release/oldstable
But at the same time you said that you would continue to backport
the relevant fixes and you are still listed in dla-needed.txt as preparing
an update fixing the CVE currently open in Squeeze (all of which are fixed
in Wheezy):
https://security-tracker.debian.org/tracker/source-package/wireshark
So what's the correct status that I should put on all those CVE?
And should we keep or drop the entry in dla-needed.txt?
Maybe the package should have been added to the "limited support" list
instead of the "not-supported" one? In which case, CVE are handled like
usual, trying to take into account the restrictions defined by the "limited
support".
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: