Hi Guido,

On  Mo 29 Feb 2016 21:54:11 CET, Guido Günther wrote:

  * prepare a fixed package
  * test the package
  * send a .debdiff to t...@security.debian.org
  * wait for feedback and ideally permission to upload to wheezy-security

That's what I'm doing at the moment (sending the debdiff to the bug
report in case there is one as well) for issues that are unfixed (not
no-dsa, see below).

Ok.


[..snip..]

Issues that are unfixed in wheezy but fixed in squeeze:
* aptdaemon            -> CVE-2015-1323
* cakephp              -> TEMP-0000000-698CF7
* dhcpcd               -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
* eglibc               -> CVE-2014-9761
* extplorer            -> CVE-2015-0896
* fuseiso              -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E
* gosa                 -> CVE-2014-9760 CVE-2015-8771
* gtk+2.0              -> CVE-2013-7447
* icu                  -> CVE-2015-2632
* imagemagick          -> TEMP-0773834-5EB6CF
* imlib2               -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764
* inspircd             -> CVE-2015-8702
* libebml              -> CVE-2015-8790 CVE-2015-8791
* libidn               -> CVE-2015-2059 TEMP-0000000-54045E
* libmatroska          -> CVE-2015-8792
* libsndfile           -> CVE-2014-9756 CVE-2015-7805
* libstruts1.2-java    -> CVE-2015-0899
* libtorrent-rasterbar -> CVE-2015-5685
* mono                 -> CVE-2009-0689
* nss                  -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938
* optipng              -> CVE-2015-7801
* phpmyadmin           -> CVE-2016-2039 CVE-2016-2041
* pixman               -> CVE-2014-9766
* python-tornado       -> CVE-2014-9720
* roundcube            -> CVE-2015-8770
* srtp                 -> CVE-2015-6360
* tomcat6              -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033
CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227
CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
CVE-2016-0706 CVE-2016-0714 CVE-2016-0763

I'm focusing on these picking older ones over newer ones to not stomp
onto the security teams toes.

Do you announce anywhere, that you will start working on a specific package? Wouldn't it make sense to put all the packages listed below into data/dsa-needed.txt (with approval from the Security Team) and then put our names behind those package names?

@Security Team: Please guide the LTS contributors to a good way of supporting you. Would it make sense to add above packages to data/dsa-needed.txt so that then LTS contributors can grab packages from the dsa-needed.txt file and work on fixing the listed issues?


Issues that are no-dsa in wheezy but fixed in squeeze:
* augeas               -> CVE-2012-0786 CVE-2012-0787
* binutils             -> TEMP-0000000-A2945B
* busybox              -> TEMP-0803097-A74121
* chrony               -> CVE-2016-1567
* dbconfig-common      -> TEMP-0805638-5AC56F
* dwarfutils           -> CVE-2015-8750
* foomatic-filters     -> TEMP-0000000-ACBC4C
* imagemagick          -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562
CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C
* libemail-address-perl -> TEMP-0000000-F41FA7
* libfcgi-perl         -> CVE-2012-6687
* librsvg              -> CVE-2015-7557
* libsndfile           -> CVE-2014-9496
* libunwind            -> CVE-2015-3239
* openslp-dfsg         -> CVE-2012-4428
* openssh              -> CVE-2015-5352 CVE-2015-5600
* php5                 -> CVE-2011-0420 CVE-2011-1657
* postgresql-8.4       -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167
CVE-2015-5288
* python-scipy         -> CVE-2013-4251
* python2.6            -> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912
* qt4-x11              -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859
CVE-2015-1860
* remind               -> CVE-2015-5957
* ruby1.8              -> CVE-2009-5147
* ruby1.9.1            -> CVE-2009-5147
* t1utils              -> CVE-2015-3905
* texlive-extra        -> CVE-2012-2120
* tomcat6              -> CVE-2013-4590
* vorbis-tools         -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640
CVE-2015-6749
"""

I think these would be adressed via stable point release updates in
wheezy/jessie rather than going via the security team.

Yeah, if at all. I just listed them for completeness sake.

Mike

--

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net

Attachment: pgpilfX2MIOoU.pgp
Description: Digitale PGP-Signatur

Reply via email to