On Wed, Dec 30, 2020 at 11:33:12PM +0100, Ola Lundqvist wrote: > Hi > > Today I worked some on wireshark and concluded that all CVEs were postponed > for buster. So I did some research to check if they were applicable to > stretch as well and added quite a few notes about this in the tracker.
The fixes for the 2 new CVEs are trivial to backport, I'll update my buster-pu request. > Now to my question. Should wireshark now be in dla-needed.txt? NOTE: 20201129: buster-pu in #975932, will backport when in buster (bunk) What alternative would you suggest to inform other LTS contributors that 14 CVEs were already fixed and why the upload to stretch is pending? >... > Or should we even be before in LTS? Shipping a higher versioned package in oldstable than what is in stable is problematic, versioning would have to be something like 2.6.8-1.1~really2.6.20 But there is no need to hurry when nothing is considered serious enough for a DSA. > Cheers > > // Ola cu Adrian
