blob: 40766ccb993ac429cc3650de4178f051b9125bca (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
Security updates affecting a released Debian suite can fall under three types:
- The security issue(s) are important enough to warrant an out-of-band update released via security.debian.org which gets announced as a DSA.
These are getting announced via debian-security-announce and also redistributed via other sources (news feeds etc).
- Low severity updates can be included in point releases, which are getting released every 2-3 months (any user using the -proposed-updates
mechanism can also use them before they get released). This provides a good balance between fixing low impact issues before the next stable
release, which can simply all be installed in one go when a point release happens.
- Some issues are simply not worth fixing in a stable release (for multiple reasons, e.g. because they are mostly a PR hype, or because they
are mitigated in Debian via a different config or toolchain hardening).
Every incoming security issues gets triaged. Security issues which are being flagged for the second category are being displayed in the
Debian Package Tracker (tracker.debian.org), in fact you might have been redirected from the PTS to his page.
For every CVE listed there, there are three possible options:
- Prepare an update for the next point release following:
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
If you CC team@security.debian.org for the release.debian.org bug, the fixed version will get recorded in the Debian Securiy Tracker.
- Some packages have a steady flow of security issues and there's also the option to postpone an update to a later time, in other words
to get piggybacked to a future DSA for a more severe security issue or held back until a few more low severity issues are known. In the
Security Tracker these are tracked with the <postponed> state, often this means that a fix has been commited to e.g. a buster branch
in salsa, but no upload has been made yet. You can either send a mail to team@security.debian.org and we'll update the state or
you can also make the change yourself if you're familiar with the Security Tracker.
- Some packages should rather not be fixed at all, e.g. because the possible benefit does not outweigh the risk/costs of an update
or because an update is not possible (e.g. as it would introduce behavioural not appropriate for a stable release). In the
Security Tracker these are tracked with the <ignored> state. You can either send a mail to team@security.debian.org and we'll update
the state or you can also make the change yourself if you're familiar with the Security Tracker.
Any of the three actions above will make the CVE ID disappear from the "low severity" entry in the Security Tracker.
|
