Re: Security support incomplete? (was: Re: [SECURITY] [DSA 3455-1] curl security update)
On Tue, Feb 02, 2016 at 05:14:42PM +0100, Yves-Alexis Perez wrote: > On mar., 2016-02-02 at 17:37 +0200, Wolfgang Jeltsch wrote: > > Can anyone please clarify? In particular, I would like to know what the > > exact policies regarding coverage of security support are, and what > > issues have not been fixed intentionally in oldstable (and maybe even > > stable). > > Everything is in the tracker. This answer is not helpful at all. Wolfgang has made clear that he didn't fully grasp the - terse - information that can be found in the tracker. It does NOT help at all just to point him again towards the source that he hasn't understood. Just for the record, I as well don't fully grasp the information that can be found in the tracker, I concur with his interpretation and I am equally disturbed by this interpretation. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Re: Security support incomplete? (was: Re: [SECURITY] [DSA 3455-1] curl security update)
Hi, Le mardi 02 février 2016 à 18:21, Wolfgang Jeltsch a écrit : > • Where is a list of unfixed security issues? "debsecan" package might be an option for getting such a list. I don't have an oldstable install to check if this particular issue is in the list. Maybe someone else could check for it? Sébastien
Re: Security support incomplete? (was: Re: [SECURITY] [DSA 3455-1] curl security update)
Hi Wolfgang, On Dienstag, 2. Februar 2016, Wolfgang Jeltsch wrote: > • Where does the tracker talk about security policies? (I actually > doubt that such information is in the tracker at all.) That's out of scope for the tracker indeed, however right now I dont know where to find such policies. > • Where is a list of unfixed security issues? https://security-tracker.debian.org/tracker/ links to filters for the different suites, eg "Vulnerable packages in the stable suite" points to https://security-tracker.debian.org/tracker/status/release/stable where you can tune your view. So https://security- tracker.debian.org/tracker/status/release/stable?filter=1=high_urgency=medium_urgency=low_urgency=unimportant_urgency=unassigned_urgency=undetermined_issues=nodsa is probably the URL which will show you the highest number of security issues in stable ;) > URLs would be highly appreciated. not directly answering your questions, but maybe still useful: http://security-team.debian.org/security_tracker.html cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Security support incomplete? (was: Re: [SECURITY] [DSA 3455-1] curl security update)
Am Dienstag, den 02.02.2016, 17:14 +0100 schrieb Yves-Alexis Perez: > On mar., 2016-02-02 at 17:37 +0200, Wolfgang Jeltsch wrote: > > Can anyone please clarify? In particular, I would like to know what the > > exact policies regarding coverage of security support are, and what > > issues have not been fixed intentionally in oldstable (and maybe even > > stable). > > Everything is in the tracker. Hi, could someone maybe give me a more specific answer? • Where does the tracker talk about security policies? (I actually doubt that such information is in the tracker at all.) • Where is a list of unfixed security issues? URLs would be highly appreciated. Please not that while such brief answers as above might be appropriate for developers, they are typically not very helpful for users. All the best, Wolfgang
Re: Security support incomplete? (was: Re: [SECURITY] [DSA 3455-1] curl security update)
On mar., 2016-02-02 at 17:37 +0200, Wolfgang Jeltsch wrote: > Can anyone please clarify? In particular, I would like to know what the > exact policies regarding coverage of security support are, and what > issues have not been fixed intentionally in oldstable (and maybe even > stable). Everything is in the tracker. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Re: Security support incomplete? (was: Re: [SECURITY] [DSA 3455-1] curl security update)
On Tuesday, 2016-02-02 at 17:14:42 +0100, Yves-Alexis Perez wrote: > On mar., 2016-02-02 at 17:37 +0200, Wolfgang Jeltsch wrote: > > Can anyone please clarify? In particular, I would like to know what the > > exact policies regarding coverage of security support are, and what > > issues have not been fixed intentionally in oldstable (and maybe even > > stable). > Everything is in the tracker. This is three-fold: the DSA does not mention oldstable at all, the DSA does not link to the tracker, and the text in the tracker page does not really justify the decision to leave oldstable unfixed "Too intrusive to backport". What?!? The link with that text points to a page that does nothing to explain the decision. Lupe Christoph -- | As everyone knows, it was predicted that the world would end last | | Wednesday at 10:00 PST. Since there appears to be a world in existence | | now, the entire universe must therefore have been recreated, complete | | with an apparent "history", last *Thursday*. QED. | | Seanna Watson, <1992nov2.165142.11...@bcrka451.bnr.ca> |
Security support incomplete? (was: Re: [SECURITY] [DSA 3455-1] curl security update)
Am Dienstag, den 02.02.2016, 10:58 +0100 schrieb Freddy Spierenburg: > Hi Wolfgang, > > On Tue, Feb 02, 2016 at 11:40:03AM +0200, Wolfgang Jeltsch wrote: > > I notice that there are no fixes for oldstable. Is oldstable not > > affected by this security issue? > [cut] > > > Package: curl > > > CVE ID : CVE-2016-0755 > > Please check out: https://security-tracker.debian.org/tracker/CVE-2016-0755 Hi, so as I understand, this security hole will not be fixed in oldstable. While I can understand that this might be a sensible decision, I wonder why this is not announced prominently. I understood that oldstable has security support, meaning that all known security holes in it will be fixed by default. There have been cases when the security team stopped supporting certain packages in oldstable, but where this was clearly announced. So far I relied on the assumption that I am on the safe side if I regularly install all available security updates and watch out for announcements of discontinuation of security support. Now I wonder how many security holes my system already has, because issues have gone silently unfixed. Can anyone please clarify? In particular, I would like to know what the exact policies regarding coverage of security support are, and what issues have not been fixed intentionally in oldstable (and maybe even stable). Thank you very much. All the best, Wolfgang
