Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
From: Alexander Schreiber <als@thangorodrim.ch>
Date: Thu, 20 Oct 2016 00:32:13 +0200
Message-id: <[🔎] 20161019223213.GA19366@mordor.angband.thangorodrim.de>
In-reply-to: <[🔎] 1476888666.931813.760921225.43C31760@webmail.messagingengine.com>
References: <[🔎] eae7d98cc7550642774010d3fa7fdfb4.webmail@localhost> <[🔎] slrnnvq0pp.grj.jmm@inutil.org> <[🔎] e13649a450ef6829f1f4d38cd6051e8d.webmail@localhost> <[🔎] 20161011210128.GA22554@inutil.org> <[🔎] 3cce61b9eed05dfe180e771e638706ca.webmail@localhost> <[🔎] 25fba864-908b-11e6-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] 6ca3f98cbfa17cdc41760edaba19229e.webmail@localhost> <[🔎] 3fc202d2-9173-11e6-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] 87inspz9v9.fsf@mid.deneb.enyo.de> <[🔎] 1476888666.931813.760921225.43C31760@webmail.messagingengine.com>

On Wed, Oct 19, 2016 at 12:51:06PM -0200, Henrique de Moraes Holschuh wrote:
> On Tue, Oct 18, 2016, at 18:21, Florian Weimer wrote:
> > Right.  Debian kernel updates can only be applied with a reboot.  If
> > we publish a kernel update, its mere availability may put some of our
> > users out of compliance with their policies, which is why we batch
> > these updates.
> 
> Is this correct?  Really?

Well, in certain environments I would not be surprised by a security policy
that boils down to: "If a security patch from [authorized source] becomes
available, it must be applied to all applicable systems within [short time]."

Kind regards,
           Alex.
-- 
"Opportunity is missed by most people because it is dressed in overalls and
 looks like work."                                      -- Thomas A. Edison

Reply to:

Follow-Ups:
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Muehlenhoff <jmm@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Michael Stone <mstone@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Michael Stone <mstone@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Previous by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Index(es):
- Date
- Thread