Re: runc CVEs in docker.io
Gareth Evans schrieb:
> Given that these are all fixed in Bullseye (and at least the grave
> apt-listbugs issue has been fixed in eg Ubuntu since March 2020 [1])
> why not also Buster?
[...]
> According to
>
> https://tracker.debian.org/pkg/runc
>
> there are 3 open security issues in (Stretch and) Buster
Most are marked "vulnerable (no DSA)". According to
<https://security-team.debian.org/triage.html> and
<https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory>,
that may mean that minor issues will be fixed with a point update or
"are simply not worth fixing in a stable release".
CVE-2021-30465 is scheduled to get a security update for buster.
> (though I
> imagine Debian's support for Stretch has ended with EOL in 2020?) -
Stretch will get security support via the Debian LTS project
(<https://wiki.debian.org/LTS>) until the end of June, 2022.
Debian Jessie still gets some security support via the Debian ELTS
project (<https://wiki.debian.org/LTS/Extended>) for the same time
period. Most probably the same will happen for Stretch after LTS
support has ended.
-thh
Reply to: