[Secure-testing-commits] r28601 - data

Holger Levsen holger at moszumanska.debian.org
Thu Sep 4 16:10:57 UTC 2014 

Author: holger
Date: 2014-09-04 16:10:57 +0000 (Thu, 04 Sep 2014)
New Revision: 28601

Added:
   data/dla-needed.txt
Removed:
   data/lts-needed.txt
Log:
rename lts-needed.txt to dla-needed.txt to match dsa-needed.txt

Copied: data/dla-needed.txt (from rev 28600, data/lts-needed.txt)
===================================================================
--- data/dla-needed.txt	                        (rev 0)
+++ data/dla-needed.txt	2014-09-04 16:10:57 UTC (rev 28601)
@@ -0,0 +1,117 @@
+A squeeze-lts security update is needed for the following source packages. 
+
+The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
+https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
+when working on an update.
+
+To pick an issue, simply add your name behind it.
+
+--
+commons-beanutils
+--
+evince
+--
+fex (non-free)
+--
+gnupg2
+  Please talk to the maintainer Eric, as he most likely would do the upload himself
+--
+graphicsmagick
+-- 
+icinga
+--
+libextlib-ruby
+--
+libjson-ruby
+--
+libphp-snoopy
+--
+librack-ruby
+--
+libspring-2.5-java
+--
+libtasn1-3
+--
+libxml-security-java (Thorsten Alteholz)
+--
+libxstream-java (Holger Levsen, help welcome)
+--
+linux-2.6
+--
+nfs-utils
+--
+nss
+--
+openjdk-6
+--
+php5 (Thorsten Alteholz)
+--
+python-django (Thorsten Alteholz)
+--
+qt4-x11
+--
+roundup
+--
+ruby (several versions)
+--
+squid3 (Holger Levsen)
+--
+tomcat6 (Holger Levsen)
+--
+xlhtml
+--
+zendframework
+--
+
+
+
+
+
+
+How is this list being updated?
+-------------------------------
+
+Have a look at the distro view on squeeze:
+https://security-tracker.debian.org/tracker/status/release/oldstable
+
+It contains all security issues which are unfixed and which haven't been tagged
+as <no-dsa>. These are security issues which have a minor impact and aren't worthy
+an update on their own (e.g. if a security issue can only be exploited in rare
+circumstances or if it's only of minor impact). Examples:
+* A vulnerability in a server which is only exploitable in a rare or inherently
+  insecure setup
+* Local temp races allowing DoS
+* Minor denial of service issues
+
+It might also be the case that a package is heavily used in stable, but has no
+reverse deps in oldstable and was introduced on a rather experimental basis.
+
+no-dsa doesn't mean that a security issue will remain unfixed. For standard stable 
+and oldstable in Debian there are regular point updates which incorporate such
+minor fixes. There are no such point updates for Debian LTS, though. But if e.g.
+there's a minor issue in a package, it can be postponed using no-dsa and if there's
+later a more severe issue the issue formerly tagged as no-dsa can be fixed along.
+
+Keep in mind that every update may potentially introduce a regression and that
+every update involves work on the admin rolling out the updated package!
+
+
+So, if there's a security issue in a package listed at 
+https://security-tracker.debian.org/tracker/status/release/oldstable which is not
+yet present in this file, so should do the following:
+
+I. Is the vulnerability present in the version in squeeze-lts? Often the vulnerable
+code has been introduced later. Don't blindly follow upstream advisories! Example:
+Software project X is currently at release 2.1.2 and provides updates for 2.0.x and
+2.1.x while squeeze-lts is at 1.8.x. Always check the code unless upstream explicity
+tells that e.g. the issue was introduced in 2.0 with git commit foobar.
+
+II. If the vulnerable code is present, does the vulnerability warrant a security
+update? If not, it can be tagged no-dsa. Issues tagged as no-dsa in stable might
+qualify as such, but you're free to use your own judgement.
+
+III. If the code is present and the issue is severe enough and not yet present
+in this file add it (preserving the alphabetical order). Even better, add yourself
+as the person working on a fixed package!
+
+

Deleted: data/lts-needed.txt
===================================================================
--- data/lts-needed.txt	2014-09-04 16:09:13 UTC (rev 28600)
+++ data/lts-needed.txt	2014-09-04 16:10:57 UTC (rev 28601)
@@ -1,117 +0,0 @@
-A squeeze-lts security update is needed for the following source packages. 
-
-The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
-https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
-when working on an update.
-
-To pick an issue, simply add your name behind it.
-
---
-commons-beanutils
---
-evince
---
-fex (non-free)
---
-gnupg2
-  Please talk to the maintainer Eric, as he most likely would do the upload himself
---
-graphicsmagick
--- 
-icinga
---
-libextlib-ruby
---
-libjson-ruby
---
-libphp-snoopy
---
-librack-ruby
---
-libspring-2.5-java
---
-libtasn1-3
---
-libxml-security-java (Thorsten Alteholz)
---
-libxstream-java (Holger Levsen, help welcome)
---
-linux-2.6
---
-nfs-utils
---
-nss
---
-openjdk-6
---
-php5 (Thorsten Alteholz)
---
-python-django (Thorsten Alteholz)
---
-qt4-x11
---
-roundup
---
-ruby (several versions)
---
-squid3 (Holger Levsen)
---
-tomcat6 (Holger Levsen)
---
-xlhtml
---
-zendframework
---
-
-
-
-
-
-
-How is this list being updated?
--------------------------------
-
-Have a look at the distro view on squeeze:
-https://security-tracker.debian.org/tracker/status/release/oldstable
-
-It contains all security issues which are unfixed and which haven't been tagged
-as <no-dsa>. These are security issues which have a minor impact and aren't worthy
-an update on their own (e.g. if a security issue can only be exploited in rare
-circumstances or if it's only of minor impact). Examples:
-* A vulnerability in a server which is only exploitable in a rare or inherently
-  insecure setup
-* Local temp races allowing DoS
-* Minor denial of service issues
-
-It might also be the case that a package is heavily used in stable, but has no
-reverse deps in oldstable and was introduced on a rather experimental basis.
-
-no-dsa doesn't mean that a security issue will remain unfixed. For standard stable 
-and oldstable in Debian there are regular point updates which incorporate such
-minor fixes. There are no such point updates for Debian LTS, though. But if e.g.
-there's a minor issue in a package, it can be postponed using no-dsa and if there's
-later a more severe issue the issue formerly tagged as no-dsa can be fixed along.
-
-Keep in mind that every update may potentially introduce a regression and that
-every update involves work on the admin rolling out the updated package!
-
-
-So, if there's a security issue in a package listed at 
-https://security-tracker.debian.org/tracker/status/release/oldstable which is not
-yet present in this file, so should do the following:
-
-I. Is the vulnerability present in the version in squeeze-lts? Often the vulnerable
-code has been introduced later. Don't blindly follow upstream advisories! Example:
-Software project X is currently at release 2.1.2 and provides updates for 2.0.x and
-2.1.x while squeeze-lts is at 1.8.x. Always check the code unless upstream explicity
-tells that e.g. the issue was introduced in 2.0 with git commit foobar.
-
-II. If the vulnerable code is present, does the vulnerability warrant a security
-update? If not, it can be tagged no-dsa. Issues tagged as no-dsa in stable might
-qualify as such, but you're free to use your own judgement.
-
-III. If the code is present and the issue is severe enough and not yet present
-in this file add it (preserving the alphabetical order). Even better, add yourself
-as the person working on a fixed package!
-
-

More information about the Secure-testing-commits mailing list