On 05.02.2017 19:55, Guido Günther wrote: > Hi, > zoneminder has multiple CVEs open and it does not look pretty: > > http://seclists.org/bugtraq/2017/Feb/5 > > I think we have no choice but to end security support (or mark the > issues as no-dsa and move the package ot limited security support like > only run in trusted environments).
Hello, I think we should wait until it becomes clear how upstream intends to deal with those security vulnerabilities but I agree that it looks severe. If the proposed fixes are too intrusive to backport marking them as unsupported and end-of-life seems to be reasonable. We could issue a warning via debian-lts-announce though and recommend to use zoneminder only in trusted environments for now. Agreed? Regards, Markus
signature.asc
Description: OpenPGP digital signature
