Re: working for wheezy-security until wheezy-lts starts

To: Mike Gabriel <sunweaver@debian.org>
Cc: debian-lts@lists.debian.org, debian-security@lists.debian.org
Subject: Re: working for wheezy-security until wheezy-lts starts
From: Guido Günther <agx@sigxcpu.org>
Date: Tue, 1 Mar 2016 08:44:08 +0100
Message-id: <[🔎] 20160301074408.GA2810@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Mike Gabriel <sunweaver@debian.org>, debian-lts@lists.debian.org, debian-security@lists.debian.org
In-reply-to: <[🔎] 20160301071528.Horde.2vkf2nEumr1U3Zct8iUtE6a@mail.das-netzwerkteam.de>
References: <20160229152546.Horde.bUTfXxHSPmDu0AWwU5x1bGj@mail.das-netzwerkteam.de> <20160229205411.GA10345@bogon.m.sigxcpu.org> <[🔎] 20160301071528.Horde.2vkf2nEumr1U3Zct8iUtE6a@mail.das-netzwerkteam.de>

On Tue, Mar 01, 2016 at 07:15:28AM +0000, Mike Gabriel wrote:
[..snip..]
> >>Issues that are unfixed in wheezy but fixed in squeeze:
> >>* aptdaemon            -> CVE-2015-1323
> >>* cakephp              -> TEMP-0000000-698CF7
> >>* dhcpcd               -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
> >>* eglibc               -> CVE-2014-9761
> >>* extplorer            -> CVE-2015-0896
> >>* fuseiso              -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E
> >>* gosa                 -> CVE-2014-9760 CVE-2015-8771
> >>* gtk+2.0              -> CVE-2013-7447
> >>* icu                  -> CVE-2015-2632
> >>* imagemagick          -> TEMP-0773834-5EB6CF
> >>* imlib2               -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764
> >>* inspircd             -> CVE-2015-8702
> >>* libebml              -> CVE-2015-8790 CVE-2015-8791
> >>* libidn               -> CVE-2015-2059 TEMP-0000000-54045E
> >>* libmatroska          -> CVE-2015-8792
> >>* libsndfile           -> CVE-2014-9756 CVE-2015-7805
> >>* libstruts1.2-java    -> CVE-2015-0899
> >>* libtorrent-rasterbar -> CVE-2015-5685
> >>* mono                 -> CVE-2009-0689
> >>* nss                  -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938
> >>* optipng              -> CVE-2015-7801
> >>* phpmyadmin           -> CVE-2016-2039 CVE-2016-2041
> >>* pixman               -> CVE-2014-9766
> >>* python-tornado       -> CVE-2014-9720
> >>* roundcube            -> CVE-2015-8770
> >>* srtp                 -> CVE-2015-6360
> >>* tomcat6              -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033
> >>CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227
> >>CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
> >>CVE-2016-0706 CVE-2016-0714 CVE-2016-0763
> >
> >I'm focusing on these picking older ones over newer ones to not stomp
> >onto the security teams toes.
> 
> Do you announce anywhere, that you will start working on a specific package?
> Wouldn't it make sense to put all the packages listed below into
> data/dsa-needed.txt (with approval from the Security Team) and then put our
> names behind those package names?

In order to avoid double work I added these to dsa-needed.txt and put my
name on the line.

Cheers,
 -- Guido

Reply to:

Follow-Ups:
- Re: working for wheezy-security until wheezy-lts starts
  - From: Mike Gabriel <sunweaver@debian.org>

References:
- Re: working for wheezy-security until wheezy-lts starts
  - From: Mike Gabriel <sunweaver@debian.org>

Prev by Date: Re: working for wheezy-security until wheezy-lts starts
Next by Date: Re: working for wheezy-security until wheezy-lts starts
Previous by thread: Re: working for wheezy-security until wheezy-lts starts
Next by thread: Re: working for wheezy-security until wheezy-lts starts
Index(es):
- Date
- Thread