Hi, On Mon, Feb 29, 2016 at 03:25:46PM +0000, Mike Gabriel wrote: > For this, we can run bin/lts-needs-forward-port.py from the secure-testing > repo and see what issues we fixed in squeeze and port those fixes to the > package version in wheezy-security. Package updates must be coordinated with > the Debian Security Team, not within the LTS team, though: > > * prepare a fixed package > * test the package > * send a .debdiff to t...@security.debian.org > * wait for feedback and ideally permission to upload to wheezy-security
That's what I'm doing at the moment (sending the debdiff to the bug report in case there is one as well) for issues that are unfixed (not no-dsa, see below). [..snip..] > Issues that are unfixed in wheezy but fixed in squeeze: > * aptdaemon -> CVE-2015-1323 > * cakephp -> TEMP-0000000-698CF7 > * dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700 > * eglibc -> CVE-2014-9761 > * extplorer -> CVE-2015-0896 > * fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E > * gosa -> CVE-2014-9760 CVE-2015-8771 > * gtk+2.0 -> CVE-2013-7447 > * icu -> CVE-2015-2632 > * imagemagick -> TEMP-0773834-5EB6CF > * imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764 > * inspircd -> CVE-2015-8702 > * libebml -> CVE-2015-8790 CVE-2015-8791 > * libidn -> CVE-2015-2059 TEMP-0000000-54045E > * libmatroska -> CVE-2015-8792 > * libsndfile -> CVE-2014-9756 CVE-2015-7805 > * libstruts1.2-java -> CVE-2015-0899 > * libtorrent-rasterbar -> CVE-2015-5685 > * mono -> CVE-2009-0689 > * nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 > * optipng -> CVE-2015-7801 > * phpmyadmin -> CVE-2016-2039 CVE-2016-2041 > * pixman -> CVE-2014-9766 > * python-tornado -> CVE-2014-9720 > * roundcube -> CVE-2015-8770 > * srtp -> CVE-2015-6360 > * tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 > CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 > CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 > CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 I'm focusing on these picking older ones over newer ones to not stomp onto the security teams toes. > > Issues that are no-dsa in wheezy but fixed in squeeze: > * augeas -> CVE-2012-0786 CVE-2012-0787 > * binutils -> TEMP-0000000-A2945B > * busybox -> TEMP-0803097-A74121 > * chrony -> CVE-2016-1567 > * dbconfig-common -> TEMP-0805638-5AC56F > * dwarfutils -> CVE-2015-8750 > * foomatic-filters -> TEMP-0000000-ACBC4C > * imagemagick -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 > CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C > * libemail-address-perl -> TEMP-0000000-F41FA7 > * libfcgi-perl -> CVE-2012-6687 > * librsvg -> CVE-2015-7557 > * libsndfile -> CVE-2014-9496 > * libunwind -> CVE-2015-3239 > * openslp-dfsg -> CVE-2012-4428 > * openssh -> CVE-2015-5352 CVE-2015-5600 > * php5 -> CVE-2011-0420 CVE-2011-1657 > * postgresql-8.4 -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 > CVE-2015-5288 > * python-scipy -> CVE-2013-4251 > * python2.6 -> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912 > * qt4-x11 -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859 > CVE-2015-1860 > * remind -> CVE-2015-5957 > * ruby1.8 -> CVE-2009-5147 > * ruby1.9.1 -> CVE-2009-5147 > * t1utils -> CVE-2015-3905 > * texlive-extra -> CVE-2012-2120 > * tomcat6 -> CVE-2013-4590 > * vorbis-tools -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640 > CVE-2015-6749 > """ I think these would be adressed via stable point release updates in wheezy/jessie rather than going via the security team. Cheers, -- Guido