Re: Secure new packages (such as LibreOffice) for laptop: backports or Guix?
Hi again,
Am 16.01.22 um 13:25 schrieb Rene Engelhard:
Am 03.01.22 um 13:10 schrieb Jorge P. de Morais Neto:
For LibreOffice, I am using version 7.2.3-2~bpo11+1 from backports. On
December 6 I got an email from announce@documentfoundation.org about
version 7.2.4, containing a security fix. Yet bullseye-backports is
still on 7.2.3-2~bpo11+1, and, according to the Debian changelog, that
version is from November 28. It seems therefore to be insecure.
Addendum: This happens if one just compares version numbers whithout
even looking what the advisory was about.
NEVER EVER do that. Bug fixes in Debian stable also don't happen by
updating the version but by backporting the fix. In the theoretical
scenario when a new issue would be found in LO stable will always stay
at 7.0.4 with the fix backported. So version-comparison is wrong.
The accouncement clearly said:
"Berlin, December 6, 2021 – The Document Foundation announces
LibreOffice 7.2.4
Community and LibreOffice 7.1.8 Community to provide a key security fix.
Releases are immediately available from
https://www.libreoffice.org/download/,
and all LibreOffice users are recommended to update their installation. Both
new version include the fixed NSS 3.73.0 cryptographic library, to solve
CVE-2021-43527 (the nss secfix is the only change compared to the previous
version)."
Note especially the "the nss secfix is the only change compared to the
previous version".
No. The security fix in 7.2.4 was because of nss.
As said in the actual advisory above.
Is this situation a rare problem, or is it representative of poor
security in backports? Should I downgrade LibreOffice 7.2.3-2~bpo11+1
to 7.0.4-4+deb11u1 ASAP?
And if you used 7.0.4-4+deb11u1 you'd have (if you updated from
security, which you should have..) the fix anyways - as you would when
staying with 7.2.3-2~bpo11+1.
There was and is no "situation" or any "problem" here.
Since as said there was no need for any update _of LibreOffice_.
Regards,
Rene
Reply to: