> but Debian does not include matrix-synapse in Debian Stable releases.
[citation needed]
matrix-synapse /was not/ included in the most recent Debian release. But there are no open release-critical bugs against it and it is in Debian testing, so there is nothing to indicate that /as a policy/ it is not being included in Debian releases.
And the bug originally reported here was against the version of the package in bionic, a year and a half after bionic released. That security vulnerabilities were discovered in a package over the life cycle of a stable release is also not a reason for us to remove it.
I would certainly accept guidance from the Security Team that this package should be removed so that it does not have to be supported under ESM.
> but Debian does not include matrix-synapse in Debian Stable releases.
[citation needed]
matrix-synapse /was not/ included in the most recent Debian release. But there are no open release-critical bugs against it and it is in Debian testing, so there is nothing to indicate that /as a policy/ it is not being included in Debian releases.
And the bug originally reported here was against the version of the package in bionic, a year and a half after bionic released. That security vulnerabilities were discovered in a package over the life cycle of a stable release is also not a reason for us to remove it.
I would certainly accept guidance from the Security Team that this package should be removed so that it does not have to be supported under ESM.
But https:/ /ubuntu. com/security/ cves?q= &package= matrix- synapse& priority= &version= &status= also shows none of these CVEs are scored above 'medium' priority.