Package: security-tracker Severity: important It looks like that squeeze-lts/non-free is not handled correctly. Have a look at jruby: $ rmadison jruby jruby | 1.5.1-1 | oldoldstable/non-free | source, all jruby | 1.5.1-1+deb6u1 | buildd-squeeze-lts/non-free | source, all jruby | 1.5.1-1+deb6u1 | squeeze-lts/non-free | source, all [...]
Version 1.5.1-1+deb6u1 fixes CVE-2011-4838 and CVE-2012-5370 through DLA-209-1. Yet https://security-tracker.debian.org/tracker/source-package/jruby doesn't show any "squeeze (lts)" or "squeeze/non-free (lts)" column showing that it's fixed there. And the JSON output for those CVE pretend that the issue is still open: "squeeze": { "repositories": { "squeeze": "1.5.1-1" }, "status": "open", "urgency": "high**" }, -- System Information: Debian Release: 8.0 APT prefers squeeze-lts APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
