hi right now, the security tracker shows CVEs marked as "end-of-life" as "vulnerable", and in the open issue list. a good example is the redmine package:
https://security-tracker.debian.org/tracker/source-package/redmine CVE-2015-8477, CVE-2014-1985, CVE-2012-2054 and CVE-2012-0327 are all affecting only wheezy and squeeze, so they shouldn't be marking redmine as "insecure", as they affect only "unsupported" versions of the package. the attached patch, which I could commit but would prefer a review of, should fix this: Index: lib/python/security_db.py =================================================================== --- lib/python/security_db.py (révision 38625) +++ lib/python/security_db.py (copie de travail) @@ -179,7 +179,7 @@ # Compute state. Update state-seen flags for global state # determination. if best_row.vulnerable: - if best_row.urgency == 'unimportant': + if best_row.urgency == 'unimportant' or best_row.urgency == 'end-of-life': state = 'unimportant' unimportant_seen = True else: This marks "end-of-life" packages as "unimportant". an alternative would be to mark them as fixed: Index: lib/python/security_db.py =================================================================== --- lib/python/security_db.py (révision 38625) +++ lib/python/security_db.py (copie de travail) @@ -178,7 +178,7 @@ # Compute state. Update state-seen flags for global state # determination. - if best_row.vulnerable: + if best_row.vulnerable and best_row.urgency != 'end-of-life': if best_row.urgency == 'unimportant': state = 'unimportant' unimportant_seen = True I tested the former locally, and looks okay, but i think the latter makes more sense. Let me know what you think is best. Thanks! a. -- Seul a un caractère scientifique ce qui peut être réfuté. Ce qui n'est pas réfutable relève de la magie ou de la mystique. - Karl Popper
