[Secure-testing-commits] r27092 - data

Mon Jun 2 05:46:18 UTC 2014

Author: jmm
Date: 2014-06-02 05:46:18 +0000 (Mon, 02 Jun 2014)
New Revision: 27092

Added:
   data/lts-needed.txt
Log:
new file to track open issues for squeeze-lts


Added: data/lts-needed.txt
===================================================================

--- data/lts-needed.txt	                        (rev 0)
+++ data/lts-needed.txt	2014-06-02 05:46:18 UTC (rev 27092)
@@ -0,0 +1,104 @@
+A squeez-lts security update is needed for the following source packages. 
+
+The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
+https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
+when working on an update.
+
+Some packages are not tracked here:
+- Linux kernel (tracking in kernel-sec repo)
+
+To pick an issue, simply add your name behind it.
+
+
+
+
+
+
+--
+cacti
+--
+fail2ban
+--
+gnutls26
+--
+icinga
+--
+libapache-mod-security
+--
+libplrpc-perl
+  Plan: drop the dependency for libdbi-perl 
+--
+libxml2
+--
+libxml-security-java
+--
+libxstream-java
+--
+lxml
+--
+nss (Raphael Geissert)
+--
+php5
+--
+phpmyadmin (Thijs Kinkhorst)
+--
+python2.6
+--
+qt4-x11
+--
+xlhtml
+--
+
+
+
+
+
+
+
+How is this list being updated?
+-------------------------------
+
+Have a look at the distro view on squeeze:
+https://security-tracker.debian.org/tracker/status/release/oldstable
+
+It contains all security issues which are unfixed and which haven't been tagged
+as <no-dsa>. These are security issues which have a minor impact and aren't worthy
+an update on their own (e.g. if a security issue can only be exploited in rare
+circumstances or if it's only of minor impact). Examples:
+* A vulnerability in a server which is only exploitable in a rare or inherently
+  insecure setup
+* Local temp races allowing DoS
+* Minor denial of service issues
+
+It might also be the case that a package is heavily used in stable, but has no
+reverse deps in oldstable and was introduced on a rather experimental basis.
+
+no-dsa doesn't mean that a security issue will remain unfixed. For standard stable 
+and oldstable in Debian there are regular point updates which incorporate such
+minor fixes. There are no such point updates for Debian LTS, though. But if e.g.
+there's a minor issue in a package, it can be postponed using no-dsa and if there's
+later a more severe issue the issue formerly tagged as no-dsa can be fixed along.
+
+Keep in mind that every update may potentially introduce a regression and that
+every update involves work on the admin rolling out the updated package!
+
+
+So, if there's a security issue in a package listed at 
+https://security-tracker.debian.org/tracker/status/release/oldstable which is not
+yet present in this file, so should do the following:
+
+I. Is the vulnerability present in the version in squeeze-lts? Often the vulnerable
+code has been introduced later. Don't blindly follow upstream advisories! Example:
+Software project X is currently at release 2.1.2 and provides updates for 2.0.x and
+2.1.x while squeeze-lts is at 1.8.x. Always check the code unless upstream explicity
+tells that e.g. the issue was introduced in 2.0 with git commit foobar.
+
+II. If the vulnerable code is present, does the vulnerability warrant a security
+update? If not, it can be tagged no-dsa. Issues tagged as no-dsa in stable might
+qualify as such, but you're free to use your own judgement.
+
+III. If the code is present and the issue is severe enough and not yet present
+in this file add it (preserving the alphabetical order). Even better, add yourself
+as the person working on a fixed package!
+
+


