Re: Question regarding security issues in LTS/Extended LTS packages
On Mon, 19 Oct 2020, Antoine Cervoise wrote:
> I'm not familiar with how to report security issues regarding packages
> under LTS/Extended LTS support.
LTS and ELTS have very different organizations. LTS has a public contact
point (here on this list) but ELTS doesn't have any since it's (only)
a commercial service by Freexian.
The canonical way to make sure a security issue is properly
tracked at all levels is to request a CVE.
A bug in the BTS (properly tagged "security") can help but only if you
notify the relevant security team. If they agree that your bug is a
security issue, then they can request a CVE by themselves.
> I've reported this issue on poppler-utils (included in poppler package, listed here:
> https://deb.freexian.com/extended-lts/docs/supported-packages/) few months ago: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942391.
> Is this security issue supported by Extended LTS program?
Yes. But it was not on our radar because we mainly monitor CVE.
> If I found other security issues (such as this one
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944979 which is not
> supported by Extended LTS), shall I report the issue on the Debian bug
> tracker or send it here (or both)?
If the bug only concerns the old version in jessie and not any newer
version, then the correct answer is to not send it anywhere because nobody
is supporting that package right now.
You can still request a CVE for the benefit of any other security team
supporting that specific version but I'm not sure that it's worth it given
that you are specifically testing the Debian version and not the upstream
⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <email@example.com>
⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/
⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS