The extended Squeeze security support is opt-in. One has to enable the
squeeze-lts distribution in the APT sources; it is not provided through
security.debian.org. Don't forget to do that if you're still running Squeeze, or you will not receive important security updates!
$ echo "deb http://ftp.nl.debian.org/debian squeeze-lts main non-free contrib" \ >> sudo tee -a /etc/apt/sources.list \ && sudo apt-get update \ && sudo apt-get dist-upgrade
About Debian LTS
Standard security support for Debian GNU/Linux release 6.0 (codename Squeeze) has been terminated May 31st, 2014. While users should have been putting effort in upgrading to Wheezy, a separate team of volunteers announced prolonged security support on April 24, 2014 for at least until February 2016. Cool to see a Debian release to be supported for such a longer time, but I'm just not too excited about it, because I really think this should be announced from the initial release on. Now this is just discouraging users to upgrade to Wheezy and the user base of Squeeze-LTS is just only going to become smaller and smaller.
Not enabled by default
What's not mentioned in the announcement of Squeeze-LTS, is that one needs to enable the
squeeze-lts release channel in order to receive the updates.
I believe a lot of users will not notice it and their systems will likely not be receiving critical security updates released this month like the gnutls26 update and the openssl update.
With a fully updates Squeeze machine, I can confirm the updates are not pushed through
$ apt-cache policy libgnutls26 libgnutls26: Installed: 2.8.6-1+squeeze3 Candidate: 2.8.6-1+squeeze3 Version table: *** 2.8.6-1+squeeze3 0 500 http://security.debian.org/ squeeze/updates/main amd64 Packages 100 /var/lib/dpkg/status 2.8.6-1+squeeze2 0 500 http://ftp.nl.debian.org/debian/ squeeze/main amd64 Packages
2.8.6-1+squeeze3 is from March 2014 (changelog) and clearly does not include fixes for those like the 'Client Hello' vulnerability (CVE-2014-3466) fixed in the announced 2.8.6-1+squeeze4 version by the Squeeze-LTS team.
How to enable Squeeze LTS?
Simply put, add the
squeeze-lts distribution from your regular Debian mirror to your APT's
sources.list configuration. E.g.:
deb http://ftp.nl.debian.org/debian squeeze main non-free contrib deb http://ftp.nl.debian.org/debian squeeze-updates main non-free contrib deb http://security.debian.org squeeze/updates main non-free contrib # Squeeze LTS deb http://ftp.nl.debian.org/debian squeeze-lts main non-free contrib
# apt-get update
to update the lists.
Now you can enjoy new security updates pending:
$ apt-cache policy libgnutls26 libgnutls26: Installed: 2.8.6-1+squeeze3 Candidate: 2.8.6-1+squeeze4 Version table: 2.8.6-1+squeeze4 0 500 http://ftp.nl.debian.org/debian/ squeeze-lts/main amd64 Packages *** 2.8.6-1+squeeze3 0 500 http://security.debian.org/ squeeze/updates/main amd64 Packages 100 /var/lib/dpkg/status 2.8.6-1+squeeze2 0 500 http://ftp.nl.debian.org/debian/ squeeze/main amd64 Packages
Don't forget to actually upgrade and to restart all related services!
# apt-get dist-upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: libgnutls26 [...] # /etc/init.d/exim4 restart