Hi Ben, sorry for the late answer, but I need to understand how Oracle will continue to play the Open Source game.
They generally refuse to give CVE patches. Oracle forbids employes to give commit id to Developers who want to cherry-pick a patch for a CVE. Months ago Frank (from Oracle) helped us a lot, and now he is on VAC, and nobody so far helped us in fixing the latest CVE in Jessie. Another CVE has been fixed with a patch from a community member in vbox mail list, because my request hasn't been answered from official developers. (actually the patch was a cherry-pick and it was correct to my checks, and upstream rejected my tweaks, so I applied it as-is) If they want to have the package in Debian they need to learn how to help people in packaging it. Vbox developers don't want to have work troubles by giving patches to us, so for now I just asked for a policy exception for Debian. That said I'll probably ask for a removal of virtualbox, if we can't guarantee a CVE free stable version. So, sorry for the long mail, but I have no manpower to maintain this huge package if upstram doesn't help me. If somebody want to take a look is free to do, I won't look at it probably for 15 days or more. (I'm really busy with other packages much easier to maintain). (I know you maintain the linux package, I know it is much harder than virtualbox, this is why I'll try to fix the package as soon as possible) (sorry for typos and top posting) cheers, Gianfranco Sent from Yahoo Mail on Android From:"Ben Hutchings" <b...@debian.org> Date:Thu, 16 Jul, 2015 at 20:40 Subject:squeeze update of virtualbox-ose? Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of virtualbox-ose: https://security-tracker.debian.org/tracker/CVE-2012-3221 https://security-tracker.debian.org/tracker/CVE-2013-3792 https://security-tracker.debian.org/tracker/CVE-2013-5892 https://security-tracker.debian.org/tracker/CVE-2014-0404 https://security-tracker.debian.org/tracker/CVE-2014-0406 https://security-tracker.debian.org/tracker/CVE-2014-0407 https://security-tracker.debian.org/tracker/CVE-2014-0981 https://security-tracker.debian.org/tracker/CVE-2014-0983 https://security-tracker.debian.org/tracker/CVE-2014-2486 https://security-tracker.debian.org/tracker/CVE-2014-2488 https://security-tracker.debian.org/tracker/CVE-2014-2489 https://security-tracker.debian.org/tracker/CVE-2015-2594 Would you like to take care of this yourself? We are still understaffed so any help is always highly appreciated. If yes, please follow the workflow we have defined here: http://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Ben Hutchings, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Ben Hutchings - Debian developer, member of Linux kernel and LTS teams
