[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure new packages (such as LibreOffice) for laptop: backports or Guix?



Hi again,

Am 16.01.22 um 13:25 schrieb Rene Engelhard:
Am 03.01.22 um 13:10 schrieb Jorge P. de Morais Neto:
For LibreOffice, I am using version 7.2.3-2~bpo11+1 from backports.  On
December 6 I got an email from announce@documentfoundation.org about
version 7.2.4, containing a security fix.  Yet bullseye-backports is
still on 7.2.3-2~bpo11+1, and, according to the Debian changelog, that
version is from November 28.  It seems therefore to be insecure.

Addendum: This happens if one just compares version numbers whithout even looking what the advisory was about.

NEVER EVER do that. Bug fixes in Debian stable also don't happen by updating the version but by backporting the fix. In the theoretical scenario when a new issue would be found in LO stable will always stay at 7.0.4 with the fix backported. So version-comparison is wrong.

The accouncement clearly said:

"Berlin, December 6, 2021 – The Document Foundation announces LibreOffice 7.2.4
Community and LibreOffice 7.1.8 Community to provide a key security fix.
Releases are immediately available from https://www.libreoffice.org/download/,
and all LibreOffice users are recommended to update their installation. Both
new version include the fixed NSS 3.73.0 cryptographic library, to solve
CVE-2021-43527 (the nss secfix is the only change compared to the previous
version)."

Note especially the "the nss secfix is the only change compared to the previous version".

No. The security fix in 7.2.4 was because of nss.

As said in the actual advisory above.

Is this situation a rare problem, or is it representative of poor
security in backports?  Should I downgrade LibreOffice 7.2.3-2~bpo11+1
to 7.0.4-4+deb11u1 ASAP?

And if you used 7.0.4-4+deb11u1 you'd have (if you updated from security, which you should have..) the fix anyways - as you would when staying with 7.2.3-2~bpo11+1.

There was and is no "situation" or any "problem" here.

Since as said there was no need for any update _of LibreOffice_.

Regards,


Rene


Reply to: