Status of security support in Debian stable
Hello, I would like to ask about the status of security support for LAMP packages in Debian stable. I've noticed that security related updates have been lagging behind upstream - for example PHP security updates from Debian usually come out few weeks or even months after upstream release. When next stable is released and longterm team takes over, this delay goes away. For me it's currently most notable in MariaDB - while version 10.0 from Jessie has received multiple updates in past few months (after becoming longterm), 10.1 in Stretch has not been updated in a year (and its changelong does mention CVEs.) Does anyone know the reason behind this? Is it because stable and longterm maintainers have different opinions about the severity of the vulnerabilities? Or do stable maintainers of LAMP related packages simply have not enough time to release without delays and users are better off using upstream releases? Thanks for all the replies.
Re: [pkg][dhcpig] ready for review
Hi, On Mon, 03 Sep 2018, p...@reseau-libre.net wrote: > I've updated dhcpig to suppress the dependency to go-md2man. This > allows the build on non-linux hosts (hurd, kfreebsd...). If any of the > DDs have some time to review the update ? Done and uploaded. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Hardening Linux conf
[replying to you also] On Mon, Sep 03, 2018 at 12:48:53PM +0200, Tomas Bortoli wrote: > It allows to quickly find weak spots in Linux configs. Running it against: > https://salsa.debian.org/kernel-team/linux/blob/master/debian/config/config This is not the config of the Debian kernel. And if you have had a look into it, you would have seen that it looks different from a normal linux config file. > That, AFAIK is the official config, gave: > https://pastebin.com/0sctgpSz > With many failed tests. Please interpret the errors yourself. A tool is only as good as the person using it. If you have specific questions, you can reach the kernel maintainers at debian-ker...@lists.debian.org or by submitting a bug report against src:linux. > Is it possible to get some feedback from the people involved, regarding > this issue? There is no issue. You compared something you can't compare. You did not see that it tells you that Ubuntu decided on this values, not Debian. Bastian -- ... The prejudices people feel about each other disappear when they get to know each other. -- Kirk, "Elaan of Troyius", stardate 4372.5
Hardening Linux conf
Hi, I've recently discovered this interesting resource: https://a13xp0p0v.github.io/2018/07/07/kconfig-hardened-check.html It allows to quickly find weak spots in Linux configs. Running it against: https://salsa.debian.org/kernel-team/linux/blob/master/debian/config/config That, AFAIK is the official config, gave: https://pastebin.com/0sctgpSz With many failed tests. Is it possible to get some feedback from the people involved, regarding this issue? Tomas
[pkg][dhcpig] ready for review
Hi all! I've updated dhcpig to suppress the dependency to go-md2man. This allows the build on non-linux hosts (hurd, kfreebsd...). If any of the DDs have some time to review the update ? Cheers, -- Philippe THIERRY.
External check
CVE-2018-14627: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.