diff -Nru debian-security-support-2020.06.21/check-support-status.in debian-security-support-2020.07.12/check-support-status.in --- debian-security-support-2020.06.21/check-support-status.in 2020-03-15 10:03:17.000000000 +0000 +++ debian-security-support-2020.07.12/check-support-status.in 2020-07-12 12:47:48.000000000 +0000 @@ -11,7 +11,7 @@ VERSION='[% VERSION %]' # Oldest Debian version included in debian-security-support -DEB_LOWEST_VER_ID=8 +DEB_LOWEST_VER_ID=9 # Version ID for next Debian stable DEB_NEXT_VER_ID=11 diff -Nru debian-security-support-2020.06.21/debian/changelog debian-security-support-2020.07.12/debian/changelog --- debian-security-support-2020.06.21/debian/changelog 2020-06-21 16:02:22.000000000 +0000 +++ debian-security-support-2020.07.12/debian/changelog 2020-07-12 14:18:31.000000000 +0000 @@ -1,3 +1,19 @@ +debian-security-support (2020.07.12) unstable; urgency=medium + + * Drop support for jessie: + - drop security-support-ended.deb8. + - set DEB_LOWEST_VER_ID=9 in check-support-status.in. + * security-support-limited: + - add mozjs68. Closes: #959804, thanks to Simon McVittie for the bug + report. + - drop glpi as it was only shipped in jessie and before. + - drop ltp as it was only shipped in squeeze. + - drop wine-gecko-2.(21|24) as they were only present in jessie. + * lintian-overrides: drop unused maintainer-script-should-not-use-adduser- + system-without-home. + + -- Holger Levsen Sun, 12 Jul 2020 16:18:31 +0200 + debian-security-support (2020.06.21) unstable; urgency=medium [ Mike Gabriel ] diff -Nru debian-security-support-2020.06.21/debian/debian-security-support.lintian-overrides debian-security-support-2020.07.12/debian/debian-security-support.lintian-overrides --- debian-security-support-2020.06.21/debian/debian-security-support.lintian-overrides 2020-02-25 14:37:39.000000000 +0000 +++ debian-security-support-2020.07.12/debian/debian-security-support.lintian-overrides 2020-07-12 14:17:33.000000000 +0000 @@ -1,4 +1,3 @@ debian-security-support: no-debconf-config debian-security-support: postinst-uses-db-input -debian-security-support: maintainer-script-should-not-use-adduser-system-without-home postinst:20 debian-security-support: debconf-is-not-a-registry usr/share/debian-security-support/check-support-status.hook diff -Nru debian-security-support-2020.06.21/security-support-ended.deb8 debian-security-support-2020.07.12/security-support-ended.deb8 --- debian-security-support-2020.06.21/security-support-ended.deb8 2020-06-21 16:00:30.000000000 +0000 +++ debian-security-support-2020.07.12/security-support-ended.deb8 1970-01-01 00:00:00.000000000 +0000 @@ -1,50 +0,0 @@ - -# List of packages whose security support ends before the distribution EOL - -# File format: Columns, separated by one or more space characters -# 1. source package name -# 2. last version with support -# Important: If there have been binNMUs, enter the highest version -# number used -# 3. Date when support ended or will end, in the form YYYY-mm-dd -# 4. Descriptive text or URL with more details (optional) -# In the program's output, this is prefixed with "Details:" - -mediawiki 1:1.19.20+dfsg-2.3 2016-04-26 https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.html#mediawiki-security -tomcat6 6.0.41-3 2016-12-31 https://lists.debian.org/debian-java/2016/01/msg00069.html -virtualbox 4.3.36-dfsg-1+deb8u1 2016-10-25 https://lists.debian.org/debian-security-announce/2016/msg00280.html -trn 3.6-23 2016-09-17 https://lists.debian.org/debian-announce/2016/msg00008.html -dotclear 2.6.4+dfsg-1 2017-01-14 https://lists.debian.org/debian-announce/2017/msg00000.html -sogo 2.2.9+git20141017-1 2017-01-14 https://lists.debian.org/debian-announce/2017/msg00000.html -cgiemail 1.6-37 2017-06-02 https://lists.debian.org/debian-announce/2017/msg00002.html -owncloud 7.0.4+dfsg-4~deb8u3 2017-06-02 https://lists.debian.org/debian-announce/2017/msg00002.html -owncloud-apps 0~~20141022-1 2017-06-02 https://lists.debian.org/debian-announce/2017/msg00002.html -chromium-browser 57.0.2987.98-1~deb8u1 2017-11-07 https://lists.debian.org/debian-security-announce/2017/msg00282.html -redmine 3.0~20140825-8~deb8u2 2018-05-03 https://lists.debian.org/debian-security-announce/2018/msg00118.html -vlc 2.2.7-1~deb8u1 2018-05-17 https://lists.debian.org/debian-security-announce/2018/msg00130.html -jruby 1.5.6-9 2018-06-08 https://lists.debian.org/debian-security-announce/2018/msg00148.html -jasperreports 4.1.3+dfsg-3 2018-06-20 Specific details about security vulnerabilites are not published -enigmail 2:1.9.9-1~deb8u1 2019-02-01 https://lists.debian.org/debian-lts/2019/01/msg00081.html -spice-xpi 2.8.90-4 2019-03-03 Broken with newer versions of Firefox -edk2 0~20131112.2590861a-3 2019-03-29 Non-free and not used by any sponsor -robocode 1.6.2+dfsg2-1 2019-03-31 Games are not supported -mysql-5.5 5.5.62-0+deb8u1 2019-06-30 MySQL 5.5 EOL upstream, unfeasible to keep supported due to no patch details -nasm-mozilla 0 2019-01-01 Only provided as build dependency for Firefox/Thunderbird >= 68 -nodejs-mozilla 0 2019-01-01 Only provided as build dependency for Firefox/Thunderbird >= 68 -libqb 0.11.1-2 2019-11-15 Leaf package, no upstream support for this version -nethack 3.4.3-15 2019-12-30 https://lists.debian.org/debian-lts/2019/12/msg00062.html -nodejs 0.10.29~dfsg-2 2020-02-20 https://lists.debian.org/debian-lts/2020/02/msg00045.html and https://bugs.debian.org/931376 -xen 4.4.4lts5-0+deb8u1 2020-03-02 https://lists.debian.org/debian-lts/2020/03/msg00020.html -tor 0.2.5.16-1 2020-03-20 https://lists.debian.org/debian-security-announce/2020/msg00047.html -libperlspeak-perl 2.01-2 2020-04-16 https://bugs.debian.org/954238 (CVE-2020-10674) and https://bugs.debian.org/954297 -# Openstack support dropped -cinder 2014.1.3-11+deb8u1 2020-06-19 "Jessie lost support fom upstream just a few weeks after the release." (https://lists.debian.org/debian-lts/2015/11/msg00024.html) -glance 2014.1.3-12+deb8u1 2020-05-08 "Jessie lost support fom upstream just a few weeks after the release." (https://lists.debian.org/debian-lts/2015/11/msg00024.html) -horizon 2014.1.3-7+deb8u2 2020-05-08 "Jessie lost support fom upstream just a few weeks after the release." (https://lists.debian.org/debian-lts/2015/11/msg00024.html) -keystone 2014.1.3-6 2020-05-08 "Jessie lost support fom upstream just a few weeks after the release." (https://lists.debian.org/debian-lts/2015/11/msg00024.html) -nova 2014.1.3-11 2020-05-08 "Jessie lost support fom upstream just a few weeks after the release." (https://lists.debian.org/debian-lts/2015/11/msg00024.html) -python-keystoneclient 1:0.10.1-2+deb8u1 2020-05-08 "Jessie lost support fom upstream just a few weeks after the release." (https://lists.debian.org/debian-lts/2015/11/msg00024.html) -python-novaclient 2:2.18.1-1 2020-05-08 "Jessie lost support fom upstream just a few weeks after the release." (https://lists.debian.org/debian-lts/2015/11/msg00024.html) -swift 2.2.0-1+deb8u1 2020-05-08 "Jessie lost support fom upstream just a few weeks after the release." (https://lists.debian.org/debian-lts/2015/11/msg00024.html) -# End Openstack support dropped -unbound 1.4.22-3+deb8u4 2020-06-11 https://lists.debian.org/debian-lts/2020/06/msg00024.html and followups / DSA-4694-1 diff -Nru debian-security-support-2020.06.21/security-support-limited debian-security-support-2020.07.12/security-support-limited --- debian-security-support-2020.06.21/security-support-limited 2020-03-15 09:58:34.000000000 +0000 +++ debian-security-support-2020.07.12/security-support-limited 2020-07-12 13:13:55.000000000 +0000 @@ -10,15 +10,14 @@ binutils Only suitable for trusted content; see https://lists.debian.org/msgid-search/87lfqsomtg.fsf@mid.deneb.enyo.de ganglia See README.Debian.security, only supported behind an authenticated HTTP zone, #702775 ganglia-web See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 -glpi Only supported behind an authenticated HTTP zone for trusted users golang* See https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking kde4libs khtml has no security support upstream, only for use on trusted content libv8-3.14 Not covered by security support, only suitable for trusted content -ltp Pure Testsuite, only supported on non-production non-multiuser systems mozjs Not covered by security support, only suitable for trusted content mozjs24 Not covered by security support, only suitable for trusted content mozjs52 Not covered by security support, only suitable for trusted content mozjs60 Not covered by security support, only suitable for trusted content +mozjs68 Not covered by security support, only suitable for trusted content, see #959804 ocsinventory-server Only supported behind an authenticated HTTP zone qtwebengine-opensource-src No security support upstream and backports not feasible, only for use on trusted content qtwebkit No security support upstream and backports not feasible, only for use on trusted content @@ -26,6 +25,4 @@ sql-ledger Only supported behind an authenticated HTTP zone swftools Not covered by security support, only suitable for trusted content webkitgtk No security support upstream and backports not feasible, only for use on trusted content -wine-gecko-2.21 Not covered by security support, see https://bugs.debian.org/804058 -wine-gecko-2.24 Not covered by security support, see https://bugs.debian.org/804058 zoneminder See README.Debian.security, only supported behind an authenticated HTTP zone, #922724