Re: [Git][security-tracker-team/security-tracker][master] Triage CVE-2020-12675, CVE-2020-12691, CVE-2020-12690 and CVE-2020-12689 for stretch LTS.
Dear Emilio,
> > CVE-2020-12692 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...)
> > {DSA-4679-1}
> > - keystone 2:17.0.0~rc2-1 (bug #959900)
> > + [stretch] - keystone <end-of-life> (Not supported in stretch LTS)
>
> While I see keystone in security-support-ended.deb8, I don't see it in
> security-support-ended.deb9. If the situation is still the same wrt openstack,
> then I think we should add it security-support-ended and announce it.
>
> Maybe we should in fact review all the packages in security-support-ended.deb8
> and see if there are any that should also be in deb9.
Good insight and I agree. I therefore put out an explicit request for
this within the LTS team — any volunteers to take this on? (Don't you
also find it frustrating to see tasks linger in that murky "we should
do this!" zone?)
Somewhat related but separate: Holger, do we have a checklist for what
to do when LTS follows a new distribution? If so, please add
"check/update/merge security-support-ended.debX" to that so that we are
on top of this in ~2 years. Addressing this to you as it is a kind of
'meta' process question, feel free to poke it on.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply to: