Hi Javier, thank you for your response. I filed this bug more as a dead man's switch since the package seemed to lack recent updates. If you're willing to maintain this version during the lifecycle of stretch I'm fine with your assessment.
I'm interested in getting 3.0 into stretch+1, and maybe even in stretch-backports. Is someone currently working on that who I can coordinate with? I've sent a join request to the project, my username is lgarrett-guest. Greets, Lee On 13/05/17 15:14, Javier Fernandez-Sanguino wrote: > severity 861842 important > thanks > > On 4 May 2017 at 18:36, Lee Garrett <[email protected] > <mailto:[email protected]>> wrote: > > Source: snort > Version: 2.9.7.0-5 > Severity: grave > Justification: renders package unusable > > > I do not agree that this Snort version being EOL makes the package unusable. > Sure, it will be difficult to support as there will be no support upstream, > but not unusable to end users. The package can still be used, and sysadmins > can update it with rules if they invest the required time. > > I agree however, it was an oversight on our side to not provide an updated > Snort version last year, before the freeze. > > > > The version of snort in Debian testing/sid has reached EOL in March [0], > making > it difficult to provide security updates or rule updates over the > lifecycle of > stretch. Since no newer version is packaged yet and stretch is deep into > the > freeze, I suggest removing the package from stretch > > > As you said, it might be difficult to get security updates, but not > impossible. Patches can be backported. > > As for the risk of potential security vulnerabilities during Stretch's > lifecycle: It is worth noting, also, that Snort does not have a bad track > record of security bugs that need an immediate fix. There has only been one > DSA for Snort in Debian (DSA-297 [1]). Overall, NIST's Vulnerability database > has only 30 security bugs reported for Snort [2] in the past 17 years, of > which only a few (4) led to remote execution (2 of them were fixed in the DSA > above). As maintainer, I am willing to work in backporting fixes of > vulnerabilities if required. > > As for rule updates: Snort users can run the release in Debian and still get > some new rules in it. There will not be able to use new rules that make use of > preprocessors. But this is the same if we would have 2.9.8.3 in Debian > instead, some rules would only work with newer releases (e.g. 2.9.9.0). Also > note that in Debian we do not distribute rule updates, only a limited subset > of the available rules in the Internet are provided (see the > snort-rules-default package for more information) > > Based on the reasoning above, and the fact that the 'grave' severity does not > really qualify for "unmaintained/unsupported" software in Debian, I'm reducing > the severity of this bug. > > I will not oppose the removal if the Debian Security team requests it, but > please be aware in the past we have shipped software in the stable release > that is not maintained upstream anymore. > > Best regards > > Javier > > [1] https://www.debian.org/security/2003/dsa-297 > [2] > > https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=snort >

