Gareth Evans schrieb: > Given that these are all fixed in Bullseye (and at least the grave > apt-listbugs issue has been fixed in eg Ubuntu since March 2020 [1]) > why not also Buster? [...] > According to > > https://tracker.debian.org/pkg/runc > > there are 3 open security issues in (Stretch and) Buster
Most are marked "vulnerable (no DSA)". According to <https://security-team.debian.org/triage.html> and <https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory>, that may mean that minor issues will be fixed with a point update or "are simply not worth fixing in a stable release". CVE-2021-30465 is scheduled to get a security update for buster. > (though I > imagine Debian's support for Stretch has ended with EOL in 2020?) - Stretch will get security support via the Debian LTS project (<https://wiki.debian.org/LTS>) until the end of June, 2022. Debian Jessie still gets some security support via the Debian ELTS project (<https://wiki.debian.org/LTS/Extended>) for the same time period. Most probably the same will happen for Stretch after LTS support has ended. -thh