0

I'm looking after a server which has a customised package, based on a patch against an upstream debian package from a different version of debian to what the server actually runs. I want to make sure I can respond in a timely manner to any security issues that arise with the upstream package.

The upstream source is at: https://anonscm.debian.org/viewvc/pkg-mailman/trunk/ and svn://anonscm.debian.org/pkg-mailman/trunk .

Is there a way to monitor for security patches against that? How are new releases flagged as having a security impact? I get that a trunk branch may not equate to any release, but can I somehow monitor e.g. the 'testing' branch for security fixes?

mc0e
  • 5,786
  • 17
  • 31

1 Answers1

0

This case is somewhat complicated.

Let's take a look at https://www.debian.org/security/

It has debian-security-announce list https://www.debian.org/security/2016/

There is for example information for mailman security update ( DSA-3668-1 mailman ) https://www.debian.org/security/2016/dsa-3668

With links to debian bugtracking system that contains discussions about bug with details and references about bugs https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835970

And CVE - summary about affected packages and versions https://security-tracker.debian.org/tracker/CVE-2016-6893

I get that a trunk branch may not equate to any release, but can I somehow monitor e.g. the 'testing' branch for security fixes?

You may monitor debian-security-announce list for new entries about packages that you have to take care about. This may be scripted for example. Then you have to study case and apply patches eventually if they are not yet applied to trunk version you are using. And eventually take care of additional problems caused by customizations of package. Also subscribe to bugtracking system of mailman project development team ( project page https://www.gnu.org/software/mailman/ ).

mgs
  • 26
  • 4