Hello Sam and Russ, I was doing some CVE triaging for Squeeze LTS and CVE-2014-5353 was still on our radar for squeeze. I looked it up and decided that it was not severe enough to warrant preparing an update (since you need elevated privileges of being able to set a password policity to be able to trigger the crash, I guess you can do worse with those privileges...).
Let me know if my analysis is incorrect so that we can reconsider preparing an update. In fact there are multiple issues in squeeze that have been marked as "no-dsa" (i.e. not important enough to ask members of the LTS team to spend their time on it). But as maintainers if you want to fix those in squeeze, you are more than welcome to do it: https://security-tracker.debian.org/tracker/source-package/krb5 See http://wiki.debian.org/LTS/Development for instructions on how to prepare an update. That said if you prepare a fixed package, we will gladly take care of the administrative part of the work. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
