Hi Scott, On Wed, Jan 31, 2018 at 10:57:30PM -0500, Scott Kitterman wrote: > On Thursday, February 01, 2018 01:03:29 AM Matija Nalis wrote: > > nor does debian security tracker list the updates as available for > > jessie/stretch: > > https://security-tracker.debian.org/tracker/source-package/clamav > > > > (security-tracked does say in hover text that jessie > > "gets updated via -updates", so it should pick that up) > > > > it correctly reports wheezy, buster and sid as fixed. > > > > for example, see also > > https://security-tracker.debian.org/tracker/CVE-2017-12376 > > > > this looks to me also like something that should be fixed (somewhere)? > > By design, the security tracker doesn't consider things 'fixed' in stable via > updates until after it's included in a Debian point release. I agree it's > not > totally clear, but the way it's working is what the security team intends.
JFTR, yes that's correct. As a side node, we might need to look into starting -updates and consider what is there to be 'accepted' for stable (oldstable) already by the stable release managers. This would need some work on the security-tracker side which would not support that yet. Will think about it. Regards, Salvatore
