On 01/07/2024 12:49, Ola Lundqvist wrote:
Hi Santiago, Thorsten, all
Santiago have now removed all packages from dla-needed with is good
considering buster is now EOL.
As a help to Thorsten I have gone through the entries we had and
checked whether bullseye is considered vulnerable.
My conclusion is that we should add back:
- bind9
- dnsmasq
- h2o
- libreswan
- nodejs
- nss
- squid
The analysis is a quick analysis based on whether the package tracker
tells "vulnerable" for bullseye and it was part of dla-needed in the
past. This means that the package should be triaged further before
updated.
The rest of the packages in dla-needed have a "no DSA" or "ignored"
statement for all the associated CVEs.
I have not analyzed the non-free packages. They need extra attention
since they are typically marked as no-dsa with the motivation that
non-free is not supported but we have some packages in the
packages-to-support list.
Hope this helps.
If you want I can prepare a commit that add back the above packages.
Note that bullseye is not LTS yet, and is still handled by the security team.
There will be a final point release for bullseye in August, so some packages
with no-dsa issues can be fixed via oldstable-pu (coordinating with appropriate
teams/maintainers).
Cheers,
Emilio
