On Wed, May 29, 2019 at 10:16:56AM +0000, Mike Gabriel wrote:
> HI Thijs,
>
> On Di 28 Mai 2019 18:17:39 CEST, Thijs Kinkhorst wrote:
>
> > On Tue, May 28, 2019 16:01, Chris Lamb wrote:
> > > Mike Gabriel wrote:
> > >
> > > > The Debian LTS team would like to fix the security issues which are
> > > > currently open in the Jessie version of simplesamlphp:
> > >
> > > Which CVE is/was this for? I am just looking at:
> > >
> > > https://security-tracker.debian.org/tracker/source-package/simplesamlphp
> > >
> > > ... and not seeing anything relevant. Is it still vulnerable? If so, we
> > > should remove it from dla-needed.txt, naturally.
> >
> > As the maintainer I have triaged all open issues and see no reason for
> > releasing a jessie update at this point.
>
> There are some no-dsa issues that should be easy to fix (CVE-2018-7711,
> CVE-2016-9955, CVE-2016-9814).
>
> In the LTS team, we sometimes--when time allows it--work on those, too. From
> your message above, I get that you take care of simplesamlphp in jessie
> yourself and rather would not want to have us work on the above CVEs, right?
If for a given CVE the desired outcome is to not fix oldstable/stable (which is
often the right outcome if the risk of regressions and work burdened on the
people
deploying the updates doesn't outweigh the security fix), then those CVEs should
be tagged <ignored> in the Security Tracker.
Cheers,
Moritz
