1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
A squeeze-lts security update is needed for the following source packages.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it.
--
apache2 (Santiago R.R.)
NOTE: pending, https://lists.debian.org/debian-lts/2015/07/msg00060.html
--
extplorer
--
flightgear
--
fuseiso
--
icu
--
libmimedir
--
libstruts1.2-java
--
libphp-snoopy
NOTE: maintainer might take care of it, cf http://lists.debian.org/1424805686.2351.19.camel@debian.org
--
lighttpd
NOTE: boils down to disable SSLv3 support as in
http://git.lighttpd.net/lighttpd/lighttpd-1.x.git/commit/?id=f610f894a35b5ef0e082b9f3bd24fa338bb10147
http://git.lighttpd.net/lighttpd/lighttpd-1.x.git/commit/?id=084df7e99a8738be79f83e330415a8963280dc4a
--
linux-2.6
--
netty
--
nss
--
openhpi
NOTE: same version in squeeze-lts as in wheezy etc
need for action depends on results of:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789543
--
openjdk-6
--
openssh (Mike Gabriel)
CVE-2015-5352: The affected ForwardX11Timeout option was added after
v5.5. For discussion if openSSH in squeeze is affected and to what extent,
see: https://lists.debian.org/debian-lts/2015/07/msg00045.html
--
openssl
NOTE: CVE-2015-4000 is not completely fixed. We need to raise the
minimum DH key length to 1024, but shouldn't do this while many
servers still use 768 bits. To set up a server to test against,
edit ssl_dh_GetTmpParam() in apache2's modules/ssl/ssl_engine_dh.c
to always return a short key.
--
php5 (Thorsten Alteholz)
NOTE: upload in June/July
--
phpmyadmin (Thijs Kinkhorst)
http://lists.debian.org/8d1ec56509c135da275476758673e47a.squirrel@aphrodite.kinkhorst.nl
--
python-tornado (Scott Kitterman)
--
policykit-1
--
pound (Guido Günther)
--
quassel
--
roundup (Thorsten Alteholz)
--
squid3
--
virtualbox-ose
--
wesnoth-1.8
--
How is this list being updated?
-------------------------------
Have a look at the distro view on squeeze:
https://security-tracker.debian.org/tracker/status/release/oldstable
It contains all security issues which are unfixed and which haven't been tagged
as <no-dsa>. These are security issues which have a minor impact and aren't worthy
an update on their own (e.g. if a security issue can only be exploited in rare
circumstances or if it's only of minor impact). Examples:
* A vulnerability in a server which is only exploitable in a rare or inherently
insecure setup
* Local temp races allowing DoS
* Minor denial of service issues
It might also be the case that a package is heavily used in stable, but has no
reverse deps in oldstable and was introduced on a rather experimental basis.
no-dsa doesn't mean that a security issue will remain unfixed. For standard stable
and oldstable in Debian there are regular point updates which incorporate such
minor fixes. There are no such point updates for Debian LTS, though. But if e.g.
there's a minor issue in a package, it can be postponed using no-dsa and if there's
later a more severe issue the issue formerly tagged as no-dsa can be fixed along.
Keep in mind that every update may potentially introduce a regression and that
every update involves work on the admin rolling out the updated package!
So, if there's a security issue in a package listed at
https://security-tracker.debian.org/tracker/status/release/oldstable which is not
yet present in this file, so should do the following:
I. Is the vulnerability present in the version in squeeze-lts? Often the vulnerable
code has been introduced later. Don't blindly follow upstream advisories! Example:
Software project X is currently at release 2.1.2 and provides updates for 2.0.x and
2.1.x while squeeze-lts is at 1.8.x. Always check the code unless upstream explicity
tells that e.g. the issue was introduced in 2.0 with git commit foobar.
II. If the vulnerable code is present, does the vulnerability warrant a security
update? If not, it can be tagged no-dsa. Issues tagged as no-dsa in stable might
qualify as such, but you're free to use your own judgement.
III. If the code is present and the issue is severe enough and not yet present
in this file add it (preserving the alphabetical order). Even better, add yourself
as the person working on a fixed package!
|
