[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Status of security support in Debian stable


I would like to ask about the status of security support for LAMP packages in Debian stable. I've noticed that security related updates have been lagging behind upstream - for example PHP security updates from Debian usually come out few weeks or even months after upstream release. When next stable is released and longterm team takes over, this delay goes away.

For me it's currently most notable in MariaDB - while version 10.0 from Jessie has received multiple updates in past few months (after becoming longterm), 10.1 in Stretch has not been updated in a year (and its changelong does mention CVEs.)

Does anyone know the reason behind this? Is it because stable and longterm maintainers have different opinions about the severity of the vulnerabilities? Or do stable maintainers of LAMP related packages simply have not enough time to release without delays and users are better off using upstream releases?

Thanks for all the replies.

Reply to: