On 01/07/2024 12:49, Ola Lundqvist wrote:
Hi Santiago, Thorsten, all

Santiago have now removed all packages from dla-needed with is good
considering buster is now EOL.

As a help to Thorsten I have gone through the entries we had and
checked whether bullseye is considered vulnerable.
My conclusion is that we should add back:

- bind9
- dnsmasq
- h2o
- libreswan
- nodejs
- nss
- squid

The analysis is a quick analysis based on whether the package tracker
tells "vulnerable" for bullseye and it was part of dla-needed in the
past. This means that the package should be triaged further before
updated.

The rest of the packages in dla-needed have a "no DSA" or "ignored"
statement for all the associated CVEs.

I have not analyzed the non-free packages. They need extra attention
since they are typically marked as no-dsa with the motivation that
non-free is not supported but we have some packages in the
packages-to-support list.

Hope this helps.

If you want I can prepare a commit that add back the above packages.

Note that bullseye is not LTS yet, and is still handled by the security team. There will be a final point release for bullseye in August, so some packages with no-dsa issues can be fixed via oldstable-pu (coordinating with appropriate teams/maintainers).

Cheers,
Emilio

Reply via email to