Hi Emilio Good point.
Cheers // Ola On Mon, 1 Jul 2024 at 13:35, Emilio Pozuelo Monfort <po...@debian.org> wrote: > > On 01/07/2024 12:49, Ola Lundqvist wrote: > > Hi Santiago, Thorsten, all > > > > Santiago have now removed all packages from dla-needed with is good > > considering buster is now EOL. > > > > As a help to Thorsten I have gone through the entries we had and > > checked whether bullseye is considered vulnerable. > > My conclusion is that we should add back: > > > > - bind9 > > - dnsmasq > > - h2o > > - libreswan > > - nodejs > > - nss > > - squid > > > > The analysis is a quick analysis based on whether the package tracker > > tells "vulnerable" for bullseye and it was part of dla-needed in the > > past. This means that the package should be triaged further before > > updated. > > > > The rest of the packages in dla-needed have a "no DSA" or "ignored" > > statement for all the associated CVEs. > > > > I have not analyzed the non-free packages. They need extra attention > > since they are typically marked as no-dsa with the motivation that > > non-free is not supported but we have some packages in the > > packages-to-support list. > > > > Hope this helps. > > > > If you want I can prepare a commit that add back the above packages. > > Note that bullseye is not LTS yet, and is still handled by the security team. > There will be a final point release for bullseye in August, so some packages > with no-dsa issues can be fixed via oldstable-pu (coordinating with > appropriate > teams/maintainers). > > Cheers, > Emilio -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------