Am Dienstag, den 02.02.2016, 10:58 +0100 schrieb Freddy Spierenburg: > Hi Wolfgang, > > On Tue, Feb 02, 2016 at 11:40:03AM +0200, Wolfgang Jeltsch wrote: > > I notice that there are no fixes for oldstable. Is oldstable not > > affected by this security issue? > [cut] > > > Package : curl > > > CVE ID : CVE-2016-0755 > > Please check out: https://security-tracker.debian.org/tracker/CVE-2016-0755
Hi, so as I understand, this security hole will not be fixed in oldstable. While I can understand that this might be a sensible decision, I wonder why this is not announced prominently. I understood that oldstable has security support, meaning that all known security holes in it will be fixed by default. There have been cases when the security team stopped supporting certain packages in oldstable, but where this was clearly announced. So far I relied on the assumption that I am on the safe side if I regularly install all available security updates and watch out for announcements of discontinuation of security support. Now I wonder how many security holes my system already has, because issues have gone silently unfixed. Can anyone please clarify? In particular, I would like to know what the exact policies regarding coverage of security support are, and what issues have not been fixed intentionally in oldstable (and maybe even stable). Thank you very much. All the best, Wolfgang
