Status of security support in Debian stable

To: debian-security@lists.debian.org
Subject: Status of security support in Debian stable
From: jaroslav@thinline.cz
Date: Mon, 03 Sep 2018 19:46:07 +0200
Message-id: <[🔎] ce8f3f2056ed8b55ac913fc6e6faf3bb@thinline.cz>

Hello,

I would like to ask about the status of security support for LAMPpackages in Debian stable. I've noticed that security related updateshave been lagging behind upstream - for example PHP security updatesfrom Debian usually come out few weeks or even months after upstreamrelease. When next stable is released and longterm team takes over, thisdelay goes away.

For me it's currently most notable in MariaDB - while version 10.0 fromJessie has received multiple updates in past few months (after becominglongterm), 10.1 in Stretch has not been updated in a year (and itschangelong does mention CVEs.)

Does anyone know the reason behind this? Is it because stable andlongterm maintainers have different opinions about the severity of thevulnerabilities? Or do stable maintainers of LAMP related packagessimply have not enough time to release without delays and users arebetter off using upstream releases?


Thanks for all the replies.

Reply to:

Prev by Date: Re: Hardening Linux conf
Next by Date: Testers needed for ghostscript update
Previous by thread: Re: Hardening Linux conf
Next by thread: Testers needed for ghostscript update
Index(es):
- Date
- Thread