severity 861842 important thanks On 4 May 2017 at 18:36, Lee Garrett <deb...@rocketjump.eu> wrote:
> Source: snort > Version: 2.9.7.0-5 > Severity: grave > Justification: renders package unusable > I do not agree that this Snort version being EOL makes the package unusable. Sure, it will be difficult to support as there will be no support upstream, but not unusable to end users. The package can still be used, and sysadmins can update it with rules if they invest the required time. I agree however, it was an oversight on our side to not provide an updated Snort version last year, before the freeze. > The version of snort in Debian testing/sid has reached EOL in March [0], > making > it difficult to provide security updates or rule updates over the > lifecycle of > stretch. Since no newer version is packaged yet and stretch is deep into > the > freeze, I suggest removing the package from stretch > As you said, it might be difficult to get security updates, but not impossible. Patches can be backported. As for the risk of potential security vulnerabilities during Stretch's lifecycle: It is worth noting, also, that Snort does not have a bad track record of security bugs that need an immediate fix. There has only been one DSA for Snort in Debian (DSA-297 [1]). Overall, NIST's Vulnerability database has only 30 security bugs reported for Snort [2] in the past 17 years, of which only a few (4) led to remote execution (2 of them were fixed in the DSA above). As maintainer, I am willing to work in backporting fixes of vulnerabilities if required. As for rule updates: Snort users can run the release in Debian and still get some new rules in it. There will not be able to use new rules that make use of preprocessors. But this is the same if we would have 2.9.8.3 in Debian instead, some rules would only work with newer releases (e.g. 2.9.9.0). Also note that in Debian we do not distribute rule updates, only a limited subset of the available rules in the Internet are provided (see the snort-rules-default package for more information) Based on the reasoning above, and the fact that the 'grave' severity does not really qualify for "unmaintained/unsupported" software in Debian, I'm reducing the severity of this bug. I will not oppose the removal if the Debian Security team requests it, but please be aware in the past we have shipped software in the stable release that is not maintained upstream anymore. Best regards Javier [1] https://www.debian.org/security/2003/dsa-297 [2] https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=snort
