Package: debian-security-support Version: 2019.02.01 Tags: patch QtWebEngine isn’t explicitly listed in the release notes as “not covered by security support” [1], but QtWebKit is. QtWebEngine probably belongs in the same boat – it has a steady stream of CVEs that are quickly patched upstream, but no DSAs have been issued. Please add qtwebengine-opensource-src to security-support-limited.
[1] https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security
--- debian-security-support/security-support-limited.orig 2018-11-25 08:39:43 +0100 +++ debian-security-support/security-support-limited 2019-04-01 12:14:58 -0400 @@ -17,6 +17,7 @@ mozjs17 Not covered by security support, only suitable for trusted content mozjs24 Not covered by security support, only suitable for trusted content ocsinventory-server Only supported behind an authenticated HTTP zone +qtwebengine-opensource-src No security support upstream and backports not feasible, only for use on trusted content qtwebkit No security support upstream and backports not feasible, only for use on trusted content qtwebkit-opensource-src No security support upstream and backports not feasible, only for use on trusted content sql-ledger Only supported behind an authenticated HTTP zone
