[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Git][security-tracker-team/security-tracker][master] Triage CVE-2020-12675, CVE-2020-12691, CVE-2020-12690 and CVE-2020-12689 for stretch LTS.

Dear Emilio,

> >  CVE-2020-12692 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...)
> >  	{DSA-4679-1}
> >  	- keystone 2:17.0.0~rc2-1 (bug #959900)
> > +	[stretch] - keystone <end-of-life> (Not supported in stretch LTS)
> While I see keystone in security-support-ended.deb8, I don't see it in
> security-support-ended.deb9. If the situation is still the same wrt openstack,
> then I think we should add it security-support-ended and announce it.
> Maybe we should in fact review all the packages in security-support-ended.deb8
> and see if there are any that should also be in deb9.

Good insight and I agree. I therefore put out an explicit request for
this within the LTS team — any volunteers to take this on? (Don't you
also find it frustrating to see tasks linger in that murky "we should
do this!" zone?)

Somewhat related but separate: Holger, do we have a checklist for what
to do when LTS follows a new distribution? If so, please add
"check/update/merge security-support-ended.debX" to that so that we are
on top of this in ~2 years. Addressing this to you as it is a kind of
'meta' process question, feel free to poke it on.


     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk

Reply to: