how reliable is "debian-security-support" ? AW: [SECURITY] Security support for Wheezy handed over to the LTS team

To: "debian-lts@lists.debian.org" <debian-lts@lists.debian.org>
Subject: how reliable is "debian-security-support" ? AW: [SECURITY] Security support for Wheezy handed over to the LTS team
From: "Schulz, Reiner" <R.Schulz@dvz-mv.de>
Date: Mon, 9 May 2016 08:43:37 +0000
Message-id: <[🔎] 8366374F3A57564BBED164D1981FA6940B81874D@DVZSN-RA0325.bk.dvz-mv.net>

How often i have to update the "debian-security-support" package?

Since wheezy went to LTS, there are serveral updates to the  " security-support-ended.deb7" file (which lists the support state).

On my wheezy LTS test system i have:

ii  debian-security-support               2015.04.04~deb7u1

with this " security-support-ended.deb7" content:

iceape          2.7.12-1+alpha          2013-12-16 https://lists.debian.org/debian-security-announce/2013/msg00233.html
chromium-browser 37.0.2062.120-1~deb7u1 2015-01-31 https://lists.debian.org/debian-security-announce/2015/msg00031.html
ruby-actionmailer-2.3 2.3.14-3          2014-07-19 https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-actionpack-2.3 2.3.14-5          2014-07-19 https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-activerecord-2.3 2.3.14-6          2014-07-19 https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-activeresource-2.3 2.3.14-3          2014-07-19 https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-actionmailer-2.3 2.3.14-3          2014-07-19 https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-activesupport-2.3 2.3.14-7         2014-07-19 https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-rails-2.3 2.3.14-4          2014-07-19 https://lists.debian.org/debian-security-announce/2014/msg00164.html

But on https://anonscm.debian.org/cgit/collab-maint/debian-security-support.git/tree/security-support-ended.deb7

There are some more packages listet:

hromium-browser         37.0.2062.120-1~deb7u1  2015-01-31  https://lists.debian.org/debian-security-announce/2015/msg00031.html
iceape                   2.7.12-1+alpha          2013-12-16  https://lists.debian.org/debian-security-announce/2013/msg00233.html
ruby-actionmailer-2.3    2.3.14-3                2014-07-19  https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-actionpack-2.3      2.3.14-5                2014-07-19  https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-activerecord-2.3    2.3.14-6                2014-07-19  https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-activeresource-2.3  2.3.14-3                2014-07-19  https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-actionmailer-2.3    2.3.14-3                2014-07-19  https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-activesupport-2.3   2.3.14-7                2014-07-19  https://lists.debian.org/debian-security-announce/2014/msg00164.html
ruby-rails-2.3           2.3.14-4                2014-07-19  https://lists.debian.org/debian-security-announce/2014/msg00164.html
redmine                  1.4.4+dfsg1-2+deb7u1    2014-07-19  Depends on ruby-rails-2.3 which is not supported
tomcat6                  6.0.45+dfsg-1~deb7u1    2016-12-31  https://tomcat.apache.org/tomcat-60-eol.html
typo3-src                4.5.19+dfsg1-5+wheezy4  2015-07-23  https://lists.debian.org/debian-security-announce/2015/msg00210.html
virtualbox               4.1.42-dfsg-1+deb7u1    2016-01-27  https://lists.debian.org/debian-security-announce/2016/msg00024.html

# Packages below are no longer supported in Wheezy during the LTS period
mantis                  1.2.18-1                2016-02-06  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2015/11/msg00019.html)
movabletype-opensource  5.1.4+dfsg-4+deb7u3     2016-02-06  Not supported in Debian LTS (http://lists.debian.org/20151104190529.GY7054@urchin.earth.li)
openjdk-6               6b38-1.13.10-1~deb7u1   2016-04-15  Not supported in Wheezy LTS https://lists.debian.org/debian-lts/2016/02/msg00153.html
openswan                1:2.6.37-3              2016-02-06  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2015/11/msg00019.html)
# Openstack support dropped
glance                  2012.1.1-5              2016-02-06  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2015/11/msg00024.html)
horizon                 2012.1.1-10             2016-02-06  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2015/11/msg00024.html)
keystone                2012.1.1-13+wheezy1     2016-02-06  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2015/11/msg00024.html)
nova                    2012.1.1-18             2016-02-06  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2015/11/msg00024.html)
python-keystoneclient   2012.1-3+deb7u1         2016-02-06  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2015/11/msg00024.html)
python-novaclient       1:2012.1-4              2016-02-06  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2015/11/msg00024.html)
swift                   1.4.8-2+deb7u1          2016-02-06  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2015/11/msg00024.html)
# End Openstack support dropped

In the history log of this file are changes after Wheezy went to LTS (asterix is now support, at 2016-05-04 13:47:11), but there is no newer " debian-security-support" package that include this.

So how reliable is "debian-security-support" ?

Reiner Schulz

> -----Ursprüngliche Nachricht-----
> Von: Markus Koschany [mailto:apo@debian.org]
> Gesendet: Montag, 25. April 2016 12:25
> An: debian-lts-announce@lists.debian.org
> Betreff: [SECURITY] Security support for Wheezy handed over to the LTS team
> Wichtigkeit: Hoch
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> As of 25 April, one year after the release of Debian 8, alias "Jessie",
> and nearly three years after the release of Debian 7, alias "Wheezy",
> regular security support for Wheezy comes to an end. The Debian Long
> Term Support (LTS) Team will take over security support.
> 
> Information for users
> =====================
> 
> Wheezy LTS will be supported from 26 April 2016 to 31 May 2018.
> 
> For Debian 7 Wheezy LTS there will be no requirement to add a separate
> wheezy-lts suite to your sources.list any more and your current setup
> will continue to work without further changes.
> 
> For how to use Debian Long Term Support please read
> 
> 	https://wiki.debian.org/LTS/Using
> 
> Important information and changes regarding Wheezy LTS can be found at
> 
> 	https://wiki.debian.org/LTS/Wheezy
> 
> Most notably OpenJDK 7 will be made the new Java default JRE/JDK on 26
> June 2016 to ensure full security support until Wheezy LTS reaches its
> end-of-life.
> 
> You should also subscribe to the announcement mailing list for
> security updates for Wheezy LTS:
> 
> 	https://lists.debian.org/debian-lts-announce/
> 
> A few packages are not covered by the Wheezy LTS support. These can be
> detected by installing the debian-security-support package. If
> debian-security-support detects an unsupported package which is critical
> to you, please get in touch with debian-lts@lists.debian.org.
> 
> 
> Mailing lists
> =============
> 
> The whole coordination of the Debian LTS effort is handled through the
> debian-lts mailing list:
> 
> 	 https://lists.debian.org/debian-lts/
> 
> Please subscribe or follow us via GMANE (gmane.linux.debian.devel.lts)
> 
> Aside from the debian-lts-announce list, there is also a list for
> following all uploads in Wheezy LTS:
> 
> 	https://lists.debian.org/debian-lts-changes/
> 
> 
> Security Tracker
> ================
> 
> All information on the status of vulnerabilities (e.g. if the version in
> Wheezy LTS happens to be unaffected while Jessie is affected) will be
> tracked in the Debian Security Tracker:
> 
> 	http://security-tracker.debian.org
> 
> If you happen to spot an error in the data, please see
> 
> 	https://security-tracker.debian.org/tracker/data/report
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQJ8BAEBCgBmBQJXHfCLXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25z
> Lm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQ
> TgzNUZE
> OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkkPoQAIixNUUwDel2fCT7RTs
> r8fM5
> 4ik15vXDYgqCIvfMKWNMqe1Haxway9p0pBjVWnAjeWslLp2liMKlbB/PiikpNesQ
> 3e8AJvNtSsMTDG+pDBbQIPb3fjir65qcayWSclVvDuFZK6rdWkYcvqh8fRE6BZ81
> NiufvWN0o4wLZm6GiAF9PNSIeeRJCjCMUYU0Myl16jDbrfCUaQr+70UkIUp69h/
> M
> nZ65vZKuXD+78CtGUfgHfrcG8lbWq/pDG98P/Pc63JNr+A6VhKrJM4ncR1lHQOf
> 8
> 6fBhf9v1UfvR9pZWBakmaHnXpD6VxY44xzv+txOcuYWqxW23Mvg0OAU3KW/z
> ofy7
> 3NSDEj7Kw4RoQY7NqjdhW2o01bn9QtB6VNh6qY7I8Vf4P2OqgpAYfZdvmBqdO
> w6a
> lWavtSr40jwRu7YryoWnIMgdrv4u3G9OTVRmyUcMruvC7EkPSfKHOByW4Ew/V
> UaI
> f6zc7PApotOwT+iuBWI4u/7k9I6SvBNjiS84Ph4V0y65axRm1CK/XZANCJW870DR
> 6JV7atxQoXXAhP0McCoxpVBSPTQqfV+ADaStzgnQ1/Ax8KMNfAD4QcXAxcCn
> DGDz
> 9jUeYhdKpuKKM7dukOVsnWX+pJ9nfet2VtfRo3wO8B9Pp3L5EzpE9sLL8o/4hPG8
> OjFDxD9gween3PaSarCU
> =kjwD
> -----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: how reliable is "debian-security-support" ? AW: [SECURITY] Security support for Wheezy handed over to the LTS team
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Wheezy update of sogo?
Next by Date: Re: how reliable is "debian-security-support" ? AW: [SECURITY] Security support for Wheezy handed over to the LTS team
Previous by thread: Re: Wheezy update of sogo?
Next by thread: Re: how reliable is "debian-security-support" ? AW: [SECURITY] Security support for Wheezy handed over to the LTS team
Index(es):
- Date
- Thread