LTS updates with security issues

Hi.

As I understand versions N.10.2+ are LTS versions (N is one cycle a year). As IT department isn’t amused to update very often I’ve been asked how many oft these LTS versions do fix security issues.

As I saw in LTS cycle 12.x there is only 12.10.3 where a security issue is mentioned til today. In cycle 11.x from 11.10.2 to 11.10.13 there is no security issue mentioned.

Of course you can’t know how many security updates to a LTS version will come but can you say how many have been in the past on average?

Is there a newsletter we can subscribe to get informed about those LTS security updates (only)?

Regards Simpel

It’s really impossible to answer that, ideally there would be none…

There is a mailing list related to security vulnerabilities. It’s about all security issues in general, but it’s not active enough to justify create one dedicated to the LTS branch (most security issues are fixed on the LTS branch too anyway).

We also issue CVEs for every security issue fixed (see https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/).

Am I right with my guess that in cycle 12.x there was only 12.0.3 and in cycle 11.x there was none further lts subversion with security issues?

It seems to me your lts policy is about 3 years old as I can’t see a 10.10.2+ or 9.10.2+ and so on. Did you had lts versions before 11.x? And can I identify them to look inside release notes for lts security issues?

We only support one LTS at a time currently, so every year the LTS branch changes and currently the LTS branch is 12.10.x.

See https://dev.xwiki.org/xwiki/bin/view/Community/VersioningAndReleasePractices for more info about supported branches and versionning in general.

Of course that’s the XWiki open source policy, and you could get extended support from sponsoring companies like XWiki SAS, see https://www.xwiki.org/xwiki/bin/view/Main/Support#HProfessionalSupport.

Discussion started at Indicate if there are security issues in the Release Notes