squid3 3.4.8 has some security issues(risks)/bugs so an upgrade to 3.5 is actually only a fix of this bugs/security issues. There is no patch for 3.4.8 because it's outdated. Debian Jessie is the current active release. So why not fixing squid3 in Debian Jessie with an stable 3.5 update?
On Fri, 2016-01-15 at 19:47 +0000, startrekfan wrote:
> Hello,
>
> I'm not sure which mailing list I should chose. So I'll try my luck here.
>
> I didn't subscribed to the mailing list. So* please put my mail address
> into cc*. thanks.
>
> *squid3 Version 3.4.8* is deployed in the Jessie stable repository.* This
> version is outdated and has some security risks!!*. Version 3.5 is more
> secure but unfortunately it's only marked as unstable
You seem a bit confused about how Debian releases work. Within any
stable release, we apply bug fixes only - unless it's impossible for us
to provide security support for the old upstream version.
Our package of squid 3.4.8 does have a security fix on top of the
upstream version: https://tracker.debian.org/news/702659
So far as we know, there are no important security issues still
affecting the version in jessie:
https://security-tracker.debian.org/tracker/source-package/squid3
Do you know otherwise?
Ben.
> So I'd like to request to mark Version 3.5 as stable.(But Version 3.5 in
> stable state)
>
> thank you
--
Ben Hutchings
The program is absolutely right; therefore, the computer must be wrong.