How to deal with wireshark CVE affecting Squeeze

To: Balint Reczey <balint@balintreczey.hu>
Cc: debian-lts@lists.debian.org
Subject: How to deal with wireshark CVE affecting Squeeze
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 10 Apr 2015 23:59:44 +0200
Message-id: <[🔎] 20150410215944.GA22236@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Balint Reczey <balint@balintreczey.hu>, debian-lts@lists.debian.org

Hello Balint,

I would like to clarify the situation of wireshark in squeeze.
In https://bugs.debian.org/774312 you requested to mark the
package as "not-supported" and this has now been done.

So in theory I should tag all CVE as "end-of-life" and they
will be hidden from our main view (and I will never again add "wireshark"
to dla-needed.txt):
https://security-tracker.debian.org/tracker/status/release/oldstable

But at the same time you said that you would continue to backport
the relevant fixes and you are still listed in dla-needed.txt as preparing
an update fixing the CVE currently open in Squeeze (all of which are fixed
in Wheezy):
https://security-tracker.debian.org/tracker/source-package/wireshark

So what's the correct status that I should put on all those CVE?
And should we keep or drop the entry in dla-needed.txt?

Maybe the package should have been added to the "limited support" list
instead of the "not-supported" one? In which case, CVE are handled like
usual, trying to take into account the restrictions defined by the "limited
support".

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

Follow-Ups:
- Re: How to deal with wireshark CVE affecting Squeeze
  - From: Bálint Réczey <balint@balintreczey.hu>

Prev by Date: Re: squeeze update of ntp?
Next by Date: Re: squeeze update of ntp?
Previous by thread: Re: squeeze update of dulwich?
Next by thread: Re: How to deal with wireshark CVE affecting Squeeze
Index(es):
- Date
- Thread