[Pkg-clamav-devel] Bug#888484: Bug#888484: Updates for stretch/jessie not in security repo
Salvatore Bonaccorso
carnil at debian.org
Thu Feb 1 05:49:46 UTC 2018
Hi Scott,
On Wed, Jan 31, 2018 at 10:57:30PM -0500, Scott Kitterman wrote:
> On Thursday, February 01, 2018 01:03:29 AM Matija Nalis wrote:
> > nor does debian security tracker list the updates as available for
> > jessie/stretch:
> > https://security-tracker.debian.org/tracker/source-package/clamav
> >
> > (security-tracked does say in hover text that jessie
> > "gets updated via -updates", so it should pick that up)
> >
> > it correctly reports wheezy, buster and sid as fixed.
> >
> > for example, see also
> > https://security-tracker.debian.org/tracker/CVE-2017-12376
> >
> > this looks to me also like something that should be fixed (somewhere)?
>
> By design, the security tracker doesn't consider things 'fixed' in stable via
> updates until after it's included in a Debian point release. I agree it's not
> totally clear, but the way it's working is what the security team intends.
JFTR, yes that's correct. As a side node, we might need to look into
starting -updates and consider what is there to be 'accepted' for
stable (oldstable) already by the stable release managers. This would
need some work on the security-tracker side which would not support
that yet. Will think about it.
Regards,
Salvatore
More information about the Pkg-clamav-devel
mailing list