Re: Should bind9 be marked no-dla?

To: debian-lts@lists.debian.org
Subject: Re: Should bind9 be marked no-dla?
From: Guido Günther <agx@sigxcpu.org>
Date: Sat, 9 Jul 2016 10:24:47 +0200
Message-id: <[🔎] 20160709082447.GA3161@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20160709033922.GJ6391@connexer.com>
References: <[🔎] 20160709033922.GJ6391@connexer.com>

Hi,
On Fri, Jul 08, 2016 at 11:39:22PM -0400, Roberto C. Sánchez wrote:
> I was looking over some of the packages which are still in need of DLAs.
> I saw that bind9 is listed as being vulnerable to CVE-2016-6170, but
> that is been marked as no-dsa for jessie [0].
> 
> Should it be marked as no-dla for wheezy based on the issue being minor?

At Debconf we discussed that since LTS doesn't have point releases -
where minor issues can be fixed by the maintainer - we should use no-dsa
very cautiously and rather be on the safe side.

I'd rather fix the CVE in this case rather than marking it as no-dsa.

Cheers,
 -- Guido

Reply to:

Follow-Ups:
- Re: Should bind9 be marked no-dla?
  - From: Roberto C. Sánchez <roberto@connexer.com>

References:
- Should bind9 be marked no-dla?
  - From: Roberto C. Sánchez <roberto@connexer.com>

Prev by Date: Should bind9 be marked no-dla?
Next by Date: Re: Should bind9 be marked no-dla?
Previous by thread: Should bind9 be marked no-dla?
Next by thread: Re: Should bind9 be marked no-dla?
Index(es):
- Date
- Thread