[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: http://www.debian.org/security/ does not show dsa-1753-2

Hello Thieo (and security team)

On Wed, Jul 15, 2009 at 02:55:19PM +0200, Thiemo Nagel wrote:
> I just noticed that dsa-1753-2 (icedove end-of-life) is not displayed on  
> http://www.debian.org/security/, although it is merely 3 days old (from  
> July 12)...

You're right, thanks for your notice.

DSA-N with N > 1 usually contains the previous DSA. In the case of
DSA-1753-2, the content is not merged at all.
Since I guess it's too late to give DSA-1753-2 its own DSA-XXXX-1, here is a
proposal for the website:

<p>As indicated in the Etch release notes, security support for the
Iceweasel **and Icedove** versions in the oldstable distribution (Etch) needed to be
stopped before the end of the regular security maintenance life cycle.</p>

<p>You are strongly encouraged to upgrade to stable or switch from Iceweasel to a still
supported browser **and from Icedove to a still supported email client.**</p>

<p>On a side note, please note that the Debian stable/Lenny version of
Iceweasel - the unbranded version of the Firefox browser - links
dynamically against the Xulrunner library. As such, most of the
vulnerabilities found in Firefox need only be fixed in the Xulrunner
package and don't require updates to the Iceweasel package any longer.</p>

^^ Does this remark apply to Icedove ?

> It looks like none of the dsa-updates are shown (also not eg.  
> DSA-1829-2).  I'd consider this a bad policy, since dsa-updates may  
> contain important additional information, like in the case of icedove  
> end-of-life...

Again, you noticed it right.

There is today no automated way to updated already released DSA, the backlog
increases unless someone takes care of it manually.

@security: it raises again the subject of releasing DSAs on the wseb.
Could we agree on a source format for DSA ? either plain text or XML, but
something that guarantees the website is always up to date automatically.

Issues today: which format for: DSA updates, CVE references in headers,
CVE/vulnerabilities items.

Example: Gentoo people use http://www.gentoo.org/dtd/glsa.dtd / http://dev.gentoo.org/~rbu/glsa-2/glsa-2.dtd

Simon Paillard

Reply to: