On 2016-02-02 16:14, Yves-Alexis Perez wrote:
On mar., 2016-02-02 at 17:37 +0200, Wolfgang Jeltsch wrote:Can anyone please clarify? In particular, I would like to know what theexact policies regarding coverage of security support are, and what issues have not been fixed intentionally in oldstable (and maybe even stable).Everything is in the tracker. Regards,
Hi, Even the tracker has its issues. Looking at the DSA in the announcement https://security-tracker.debian.org/tracker/DSA-3455-1 "Debian/oldstable not known to be vulnerable." but looking at the matching CVE https://security-tracker.debian.org/tracker/CVE-2016-0755 "Debian/oldstable package curl is vulnerable."Pointing me to the tracker just brought me the unpleasant news that I was already vulnerable to the older
https://security-tracker.debian.org/tracker/CVE-2015-3153 "Debian/oldstable package curl is vulnerable." https://security-tracker.debian.org/tracker/DSA-3240-1 "Debian/oldstable not known to be vulnerable." Thanks for the work, anyway. Pedro.