[Bug 1192367] [NEW] No security release provided for CVE-2013-3567

[Alex Vandiver]

Public bug reported:

Lucid's version of puppet is listed as "ignored (reached end-of-life)"
on the CVE tracking page for CVE-2013-3567 [1].  However, Ubuntu Lucid
has not reached end-of-life for the server release -- indeed, `apt-cache
show puppet` shows "Supported: 5y".  The Ubuntu wiki[2] states that
Ubuntu Server LTS supports "security updates and select bug fixes (5
years) -- This is defined as the union of the server-ship and supported-
server seeds."  Checking the seed file[3], I find that puppet is indeed
listed in the server-ship seed.

On IRC, I was pointed to ~ubuntu-security/ubuntu-cve-tracker/lucid-
supported.txt as the master list of supported packages.  How is this
list generated, if not as documented under Ubuntu's support policies?  I
also note that the header line in that file is misleading or incorrect,
and should probably read "...are unsupported starting May 9, 2013" if
that is the intent.

Regardless, either the Lucid release of puppet should gain a security
release for CVE-2013-3567, or Ubuntu should update their documentation
in numerous places as to what packages are considered "supported" as
part of Lucid server LTS.

[1] http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3567.html
[2] https://wiki.ubuntu.com/SeedManagement#Maintenance_Period
[3] http://people.canonical.com/~ubuntu-archive/germinate-output/ubuntu.lucid/server-ship.seed
[4] http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/lucid-supported.txt

** Affects: puppet (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to puppet in Ubuntu.
https://bugs.launchpad.net/bugs/1192367

Title:
  No security release provided for CVE-2013-3567

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1192367/+subscriptions