[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security support for squeeze?

On Tue, 9 Nov 2010 22:45:21 +0100, Julien Cristau wrote:
> Hi,
> I'm trying to figure out what we need for security support for squeeze.
> One blocker I know of is the dak upgrade on security-master, are there
> other things needed on the security team's side?
> The release notes also need an update regarding security support.  We
> currently have the following text:
> > <section id="mozilla-security" condition="fixme">
> > <title>Security status of Mozilla products</title>
> > <para>
> > <indexterm><primary>Mozilla</primary></indexterm>
> > The Mozilla programs <systemitem role="package">firefox</systemitem>, 
> > <systemitem role="package">thunderbird</systemitem>, and
> > <systemitem role="package">sunbird</systemitem> (rebranded in Debian to
> > <systemitem role="package">iceweasel</systemitem>, <systemitem
> > role="package">icedove</systemitem>, and <systemitem 
> > role="package">iceowl</systemitem>, respectively), are important tools for
> > many users.  Unfortunately the upstream security policy is to urge users to
> > update to new upstream versions, which conflicts with Debian's policy of not
> > shipping large functional changes in security updates.  We cannot predict it
> > today, but during the lifetime of &releasename; the Debian Security Team may come to a
> > point where supporting Mozilla products is no longer feasible and announce the
> > end of security support for Mozilla products.  You should take this into
> > account when deploying Mozilla and consider alternatives available in Debian if
> > the absence of security support would pose a problem for you.
> > </para>
> > <para>
> > <systemitem role="package">iceape</systemitem>, the unbranded version
> > of the <systemitem role="package">seamonkey</systemitem> internet
> > suite has been removed from &releasename; (with the exception of a few
> > internal library packages).
> > </para>
> > </section>
> I suspect that this is still valid (excluding the part about iceape,
> which is back in squeeze).  Should we add a blurb about the webkit-based
> browsers (epiphany, chromium, konqueror, others?)?  If so would anybody
> like to propose wording?
> > <section id="webservice-security" condition="fixme">
> > <title>Security status of OCS Inventory and SQL-Ledger</title>
> > <para>
> > <indexterm><primary>OCS Inventory</primary></indexterm>
> > <indexterm><primary>SQL-Ledger</primary></indexterm>
> > The webservice packages <systemitem
> > role="package">ocsinventory-server</systemitem> and <systemitem
> > role="package">sql-ledger</systemitem> are included in the &releasename;
> > release but have special security requirements that users should be aware of
> > before deploying them.  These two webservices are designed for deployment
> > only behind an authenticated HTTP zone and should never be made available to
> > untrusted users; and therefore they receive only limited security support
> > from the Debian security team.  Users should therefore take particular care
> > when evaluating who to grant access to these services.
> > </para>
> > </section>
> Has this changed (I guess not)?  Are there other webapps in this
> category?
> Finally, are there other packages we know have limited security support,
> and should be mentioned there?

You may want to mention that openjdk-6 and sun-java-6 don't receive
security support/updates.  I'm not sure if whether this is a security
team policy decision, or whether its simply a de facto state due to lack
of interest. The last DSA for openjdk was in April 2009 even though
there have been about 100 CVEs issued for it since then.


Reply to: