Re: security support for squeeze?

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Tue, 9 Nov 2010 22:45:21 +0100, Julien Cristau wrote:
> Hi,
> 
> I'm trying to figure out what we need for security support for squeeze.
> One blocker I know of is the dak upgrade on security-master, are there
> other things needed on the security team's side?
> 
> The release notes also need an update regarding security support.  We
> currently have the following text:
> 
> > <section id="mozilla-security" condition="fixme">
> > <title>Security status of Mozilla products</title>
> > <para>
> > <indexterm><primary>Mozilla</primary></indexterm>
> > The Mozilla programs <systemitem role="package">firefox</systemitem>, 
> > <systemitem role="package">thunderbird</systemitem>, and
> > <systemitem role="package">sunbird</systemitem> (rebranded in Debian to
> > <systemitem role="package">iceweasel</systemitem>, <systemitem
> > role="package">icedove</systemitem>, and <systemitem 
> > role="package">iceowl</systemitem>, respectively), are important tools for
> > many users.  Unfortunately the upstream security policy is to urge users to
> > update to new upstream versions, which conflicts with Debian's policy of not
> > shipping large functional changes in security updates.  We cannot predict it
> > today, but during the lifetime of &releasename; the Debian Security Team may come to a
> > point where supporting Mozilla products is no longer feasible and announce the
> > end of security support for Mozilla products.  You should take this into
> > account when deploying Mozilla and consider alternatives available in Debian if
> > the absence of security support would pose a problem for you.
> > </para>
> > <para>
> > <systemitem role="package">iceape</systemitem>, the unbranded version
> > of the <systemitem role="package">seamonkey</systemitem> internet
> > suite has been removed from &releasename; (with the exception of a few
> > internal library packages).
> > </para>
> > </section>
> 
> I suspect that this is still valid (excluding the part about iceape,
> which is back in squeeze).  Should we add a blurb about the webkit-based
> browsers (epiphany, chromium, konqueror, others?)?  If so would anybody
> like to propose wording?
> 
> > <section id="webservice-security" condition="fixme">
> > <title>Security status of OCS Inventory and SQL-Ledger</title>
> > <para>
> > <indexterm><primary>OCS Inventory</primary></indexterm>
> > <indexterm><primary>SQL-Ledger</primary></indexterm>
> > The webservice packages <systemitem
> > role="package">ocsinventory-server</systemitem> and <systemitem
> > role="package">sql-ledger</systemitem> are included in the &releasename;
> > release but have special security requirements that users should be aware of
> > before deploying them.  These two webservices are designed for deployment
> > only behind an authenticated HTTP zone and should never be made available to
> > untrusted users; and therefore they receive only limited security support
> > from the Debian security team.  Users should therefore take particular care
> > when evaluating who to grant access to these services.
> > </para>
> > </section>
> 
> Has this changed (I guess not)?  Are there other webapps in this
> category?
> 
> Finally, are there other packages we know have limited security support,
> and should be mentioned there?

You may want to mention that openjdk-6 and sun-java-6 don't receive
security support/updates.  I'm not sure if whether this is a security
team policy decision, or whether its simply a de facto state due to lack
of interest. The last DSA for openjdk was in April 2009 even though
there have been about 100 CVEs issued for it since then.

Mike