On Thu, Apr 29, 2021 at 06:29:33PM +0200, Sylvain Beucler wrote: > Hi, > > I saw a batch of new CVEs were tracked for 'unbound', but not for the > stretch-specific 'unbound1.9' package[1]. > > I can go ahead and add '- unbound1.9' entries in data/CVE/list but I'm not > sure whether that's what we want. Should I? > > [1] https://lists.debian.org/debian-lts/2021/02/threads.html#00023
As I tried to explain back then in the thread, IIRC, that would in fact not be really technically correct, because unbound1.9 was never in unstable at any point in time. As such technically - unbound1.9 <removed> would so imply that. I'm not sure if they will warrant an update, but if you think so why not as proposed there just add the item to dla-needed.txt list and mention the association with unbound (which LTS does not support anymore, right?)? FTR, linux-4.19 is handled in the very similar way, we never add those entries for "unstable" to data/CVE/list but Ben just fixes them in a DLA accordingly. I would follow here the same schema for this very special package and situation (and if you have it document it accordingly for the LTS workflows). Regards, Salvatore
