Security support incomplete? (was: Re: [SECURITY] [DSA 3455-1] curl security update)
Am Dienstag, den 02.02.2016, 10:58 +0100 schrieb Freddy Spierenburg:
> Hi Wolfgang,
>
> On Tue, Feb 02, 2016 at 11:40:03AM +0200, Wolfgang Jeltsch wrote:
> > I notice that there are no fixes for oldstable. Is oldstable not
> > affected by this security issue?
> [cut]
> > > Package : curl
> > > CVE ID : CVE-2016-0755
>
> Please check out: https://security-tracker.debian.org/tracker/CVE-2016-0755
Hi,
so as I understand, this security hole will not be fixed in oldstable.
While I can understand that this might be a sensible decision, I wonder
why this is not announced prominently. I understood that oldstable has
security support, meaning that all known security holes in it will be
fixed by default. There have been cases when the security team stopped
supporting certain packages in oldstable, but where this was clearly
announced.
So far I relied on the assumption that I am on the safe side if I
regularly install all available security updates and watch out for
announcements of discontinuation of security support. Now I wonder how
many security holes my system already has, because issues have gone
silently unfixed.
Can anyone please clarify? In particular, I would like to know what the
exact policies regarding coverage of security support are, and what
issues have not been fixed intentionally in oldstable (and maybe even
stable).
Thank you very much.
All the best,
Wolfgang
Reply to: