Hi, On 13/07/2020 00:01, Brian May wrote: > Is dla-needed.txt for Jessie or Stretch now?
Stretch. > ksh was removed from dla-needed.txt for Stretch and classified "minor": > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf > > Then it was added again: > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a9cd9dca3afc830fea869d12baf2f3d7c21126 > > Should we mark it as ignored in Stretch also? Or maybe the reason (as > given in the commit message when ksh was first removed) was wrong? > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/b72cc677e719d37f5f3378d616d9cb53315db927 github is currently down, so I can't review the patch, but it sounds like we don't know for sure the full impact of the vulnerability and would be better off fixing it. Cheers! Sylvain
