[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Tracking unbound1.9



Hi,

Am Donnerstag, den 29.04.2021, 20:59 +0200 schrieb Salvatore Bonaccorso:
> On Thu, Apr 29, 2021 at 06:29:33PM +0200, Sylvain Beucler wrote:
> > Hi,
> > 
> > I saw a batch of new CVEs were tracked for 'unbound', but not for the
> > stretch-specific 'unbound1.9' package[1].
> > 
> > I can go ahead and add '- unbound1.9' entries in data/CVE/list but I'm not
> > sure whether that's what we want. Should I?

Thanks Sylvain for the heads-up.

> > 
> > [1] https://lists.debian.org/debian-lts/2021/02/threads.html#00023
> 
> As I tried to explain back then in the thread, IIRC, that would in
> fact not be really technically correct, because unbound1.9 was never
> in unstable at any point in time. As such technically
> 
> - unbound1.9 <removed> 
> 
> would so imply that. I'm not sure if they will warrant an update, but
> if you think so why not as proposed there just add the item to
> dla-needed.txt list and mention the association with unbound (which
> LTS does not support anymore, right?)?

Agreed. I suggest to mark all CVE for unbound in Stretch as end-of-life. This
was already announced in May 2020 and we shouldn't change that retrospectively.
The introduction of a new source package unbound1.9 was an exception due to a
special request. In my opinion we should add unbound1.9 to dla-needed.txt and
investigate which one of the current open CVE affect this version. I can take a
look at it since I was responsible for the unbound1.9 upload anyway.

> FTR, linux-4.19 is handled in the very similar way, we never add those
> entries for "unstable" to data/CVE/list but Ben just fixes them in a
> DLA accordingly. I would follow here the same schema for this very
> special package and situation (and if you have it document it
> accordingly for the LTS workflows).

+1

Regards,

Markus

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: