Hi John,
John Franklin writes:
> I’ve seen several security alerts from Debian, but no matching
> updates in Devuan. For example, the “file" package has
> CVE-2017-1000249, released yesterday.
>
>> For the stable distribution (stretch), this problem has been fixed in
>> version 1:5.30-1+deb9u1.
>>
>> For the unstable distribution (sid), this problem has been fixed in
>> version 1:5.32-1.
>
> But, on a Devuan Ascii VM:
Uhm, Devuan ascii is testing. I'd think that doesn't get any security
upgrades, just like Debian's testing (buster) doesn't get any.
In addition, this particular DSA doesn't mention fixes for oldstable so
I would not expect Devuan's jessie to get any security upgrade either.
Looks like you'll have to wait until whatever hit unstable trickles down
to testing.
> [...]
>
> Maybe this one is too new, but the “apache2" package has
> CVE-2017-9788 released July 18th, 2017.
>
>> For the oldstable distribution (jessie), this problem has been fixed
>> in version 2.4.10-10+deb8u10.
>>
>> For the stable distribution (stretch), this problem has been fixed in
>> version 2.4.25-3+deb9u2.
>>
>> For the unstable distribution (sid), this problem has been fixed in
>> version 2.4.27-1.
>
> The latest apache2 in Ascii is 2.4.25-3+deb9u1.
On my Devuan jessie I get this
$ apt-cache policy apache2
apache2:
Installed: (none)
Candidate: 2.4.10-10+deb8u10
Version table:
2.4.10-10+deb8u10 0
500 http://auto.mirror.devuan.org/merged/ jessie-security/main amd64 Packages
2.4.10-10+deb8u9 0
500 http://auto.mirror.devuan.org/merged/ jessie/main amd64 Packages
This matches what is available for Debian's jessie (oldstable).
Hope this helps,
--
Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27
GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9
Support Free Software https://my.fsf.org/donate
Join the Free Software Foundation https://my.fsf.org/join