Hi Emilio

Good point.

Cheers

// Ola

On Mon, 1 Jul 2024 at 13:35, Emilio Pozuelo Monfort <po...@debian.org> wrote:
>
> On 01/07/2024 12:49, Ola Lundqvist wrote:
> > Hi Santiago, Thorsten, all
> >
> > Santiago have now removed all packages from dla-needed with is good
> > considering buster is now EOL.
> >
> > As a help to Thorsten I have gone through the entries we had and
> > checked whether bullseye is considered vulnerable.
> > My conclusion is that we should add back:
> >
> > - bind9
> > - dnsmasq
> > - h2o
> > - libreswan
> > - nodejs
> > - nss
> > - squid
> >
> > The analysis is a quick analysis based on whether the package tracker
> > tells "vulnerable" for bullseye and it was part of dla-needed in the
> > past. This means that the package should be triaged further before
> > updated.
> >
> > The rest of the packages in dla-needed have a "no DSA" or "ignored"
> > statement for all the associated CVEs.
> >
> > I have not analyzed the non-free packages. They need extra attention
> > since they are typically marked as no-dsa with the motivation that
> > non-free is not supported but we have some packages in the
> > packages-to-support list.
> >
> > Hope this helps.
> >
> > If you want I can prepare a commit that add back the above packages.
>
> Note that bullseye is not LTS yet, and is still handled by the security team.
> There will be a final point release for bullseye in August, so some packages
> with no-dsa issues can be fixed via oldstable-pu (coordinating with 
> appropriate
> teams/maintainers).
>
> Cheers,
> Emilio



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  o...@inguza.com                    o...@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply via email to