On Tue, Mar 01, 2016 at 07:15:28AM +0000, Mike Gabriel wrote: [..snip..] > >>Issues that are unfixed in wheezy but fixed in squeeze: > >>* aptdaemon -> CVE-2015-1323 > >>* cakephp -> TEMP-0000000-698CF7 > >>* dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700 > >>* eglibc -> CVE-2014-9761 > >>* extplorer -> CVE-2015-0896 > >>* fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E > >>* gosa -> CVE-2014-9760 CVE-2015-8771 > >>* gtk+2.0 -> CVE-2013-7447 > >>* icu -> CVE-2015-2632 > >>* imagemagick -> TEMP-0773834-5EB6CF > >>* imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764 > >>* inspircd -> CVE-2015-8702 > >>* libebml -> CVE-2015-8790 CVE-2015-8791 > >>* libidn -> CVE-2015-2059 TEMP-0000000-54045E > >>* libmatroska -> CVE-2015-8792 > >>* libsndfile -> CVE-2014-9756 CVE-2015-7805 > >>* libstruts1.2-java -> CVE-2015-0899 > >>* libtorrent-rasterbar -> CVE-2015-5685 > >>* mono -> CVE-2009-0689 > >>* nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 > >>* optipng -> CVE-2015-7801 > >>* phpmyadmin -> CVE-2016-2039 CVE-2016-2041 > >>* pixman -> CVE-2014-9766 > >>* python-tornado -> CVE-2014-9720 > >>* roundcube -> CVE-2015-8770 > >>* srtp -> CVE-2015-6360 > >>* tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 > >>CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 > >>CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 > >>CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 > > > >I'm focusing on these picking older ones over newer ones to not stomp > >onto the security teams toes. > > Do you announce anywhere, that you will start working on a specific package? > Wouldn't it make sense to put all the packages listed below into > data/dsa-needed.txt (with approval from the Security Team) and then put our > names behind those package names?
In order to avoid double work I added these to dsa-needed.txt and put my name on the line. Cheers, -- Guido