At first I want to change the question to "Which packages should we worry about"?Pjotr wrote:So the questions are:
a. Which packages should we worry about most, i.e. which ones can be classified as high risk?
All packages out of the universe and multiverse repositories. All packages, which do not actually get the 5 years LTS support.
As I described in my starting post, there is in Ubuntu the tool ubuntu-support-status. A quick test showed me, that you can install it in Mint (I used LM 17 Qiana Cinnamon 64 bit, but this should not matter), but it does not work. Probably this is because of this bug. In Ubuntu 16.04 it works for me. It would be relevant to know, which packages are pre-installed in Mint from those Ubuntu-repositories. This would give the need, to take a fresh installation of Mint and a fresh installation of Ubuntu, find out those packages, install them in Ubuntu and then run the tool to find the number and the names of all packages without support, with 9 months support and with 3 years support. Then you get an idea about the impact of the problem in any Mint main edition installation.
The core of the problem is in my eyes, that Ubuntu says for the LTS: "supported for 5 years". Dot. That this is only the half truth is somewhere in the small print. I bet, that 90%+ of all users of Ubuntu and Ubuntu-based systems don't know, that this doesn't mean, that any leakage, which gets known in those 5 years, will be closed. But there is the fact, that they get known. The trouble with open source is, that this openness gets a boomerang, if the leaks stay unclosed. In the article (link in my first post) the author says, that gaps in many installed packages would almost certainly be a frequent attack vector, if Ubuntu Desktops had a similar distribution like Android. Security sounds different than relying on an OS with rather view installations.
If this post by xenopeek (upgrade as soon as possible), published on the day, when the support for LM 16 ended, has a meaning, than it is worth to think about the fact, that parts of the LTS-system have no support for more than 4 years.