To what releases will Juniper Networks apply fixes to resolve security vulnerabilities?
Juniper Networks applies fixes for product security vulnerabilities to all actively supported releases of software for the product or platform affected, based on the CVSS score of the vulnerability.
The Common Vulnerability Scoring System (CVSS) is the primary tool Juniper Networks uses to determine which software releases receive fixes for vulnerabilities. As a normal practice, all security fixes are applied to the currently active releases. In general, if a CVSS Base score is 3 or higher, the security fix will be applied to all releases which have not yet reached End of Engineering (EOE).
It is not the standard practice of Juniper Networks to apply security fixes to releases which are beyond End of Engineering (EOE) or End of Life (EOL).
Please refer to these pages for the official Juniper Networks policies and timetables for End of Engineering (EOE), End of Life (EOL), and Extended End of Life (EEOL).
These statements above are guidelines and not exact rules. There are many factors that can affect the decision as to which releases will be selected to receive fixes for vulnerabilities, especially when considering border cases involving EOL and EOE releases. For example, backporting vulnerability fixes into older releases may require a significant development effort nearly equivalent to producing a new release, and is simply not feasible or pragmatic in the face of a low-risk threat. In other circumstances, backporting a fix may be a straightforward exercise and may be justified due to a greater risk posed by the specific vulnerability. The Juniper Networks SIRT welcomes any input from customers, the network security community, and the public that improves our ability to determine which End of Life and End of Engineering releases will be fixed to resolve specific vulnerabilities.
Questions and concerns can be sent to the Juniper Networks Security Incident Response Team (SIRT) via E-mail at email@example.com.