On Tue, Jun 03, 2014 at 12:14:13PM +0100, Steven Chamberlain wrote: > Hi, > > I noticed an interesting problem that squeeze-lts creates for debsecan. > > debsecan (at least the version in squeeze) doesn't seem to know about > libgnutls26 version 2.8.6-1+squeeze4, or even that it has the fixes from > versions 2.8.6-1+squeeze3 and prior. > > It means that CVE-2014-3466 will remain as "Vulnerabilities without > updates", and even old vulnerabilities are listed as affecting the > installed libgnutls26 again, in the "New security updates" category. > > Is the security tracker expected to have data for squeeze-lts at some > point, or should squeeze-lts users discontinue using debsecan?
The gnutls fix wasn't added to the security tracker, I'll fix that later. I have updated the wiki documentation with all the steps needed to release an update for squeeze-lts (starting with "Preparing fixed packages for squeeze-lts"): https://wiki.debian.org/LTS/Development Cheers, Moritz -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
