Preparation of Debian GNU/Linux 2.2r7 ===================================== An up-to-date version is at http://master.debian.org/~joey/2.2r7/ I am preparing another revision of the stable Debian distribution (r7) and will infrequently send reports so people can actually comment on it and intervene whenever this is required. The plan is to get this revision of Debian GNU/Linux 2.2 (codename `potato') out at the beginning of July this year (2002). James Troup still has to give the final approval for each package since he is the ftpmaster involved with stable revisions. However, I will try to make his work as easy as possible in the hope to get the next revision out properly. Thanks for your attention. This may also be the last version of the 2.2 series, depending on how well the woody release is making progress. My requirements for packages to go into stable: 1. The package fixes a security problem. An advisory by our own Security Team would be quite helpful. I really should make this a requirement for security uploads. 2. The package fixes a critical bug which can lead into data loss, data corruption, or an overly broken system, or the package is broken or not usable (anymore). 3. The stable version of the package is not installable at all due to broken or unmet dependencies or broken installation scripts. 4. All released architectures have to be in sync. Packages, which I will most probably reject: . Package which fix non-critical bugs. . Misplaced uploads, i.e. packages that were uploaded to 'stable unstable' or `frozen unstable'. . Packages for which its binary packages are out of sync with regard to all supported architectures in the stable distribution. . Binary packages for which the source got lost somehow. Accepted packages ----------------- These packages should be installed into stable and be part of the next revision. analog stable 2:5.22-0potato3 alpha, arm, i386, m68k, powerpc, sparc, source analog updates 2:5.22-0potato4 alpha, arm, i386, m68k, powerpc, sparc, source DSA 125, backport of 5.22 for security reasons. The advisory mentions version 5.22-0potato1, though. apache-common stable 1.3.9-14 alpha, arm, i386, m68k, powerpc, sparc apache-common updates 1.3.9-14.1 alpha, arm, i386, m68k, powerpc, sparc apache-dev stable 1.3.9-14 alpha, arm, i386, m68k, powerpc, sparc apache-dev updates 1.3.9-14.1 alpha, arm, i386, m68k, powerpc, sparc apache-doc stable 1.3.9-14 all apache-doc updates 1.3.9-14.1 all apache stable 1.3.9-14 alpha, arm, i386, m68k, powerpc, sparc, source apache updates 1.3.9-14.1 alpha, arm, i386, m68k, powerpc, sparc, source DSA 131 apache-perl stable 1.3.9-13.1-1.21.20000309-1 alpha, arm, i386, m68k, powerpc, sparc, source apache-perl updates 1.3.9-14.1-1.21.20000309-1 alpha, arm, i386, m68k, powerpc, sparc, source DSA 133 apache-ssl updates 1.3.9.13-4.1 alpha, arm, i386, m68k, powerpc, sparc, source DSA 132 cupsys-bsd stable 1.0.4-9 alpha, arm, i386, m68k, powerpc, sparc cupsys-bsd updates 1.0.4-12 alpha, arm, i386, m68k, powerpc, sparc cupsys stable 1.0.4-9 alpha, arm, i386, m68k, powerpc, sparc, source cupsys updates 1.0.4-12 alpha, arm, i386, m68k, powerpc, sparc, source libcupsys1-dev stable 1.0.4-9 alpha, arm, i386, m68k, powerpc, sparc libcupsys1-dev updates 1.0.4-12 alpha, arm, i386, m68k, powerpc, sparc libcupsys1 stable 1.0.4-9 alpha, arm, i386, m68k, powerpc, sparc libcupsys1 updates 1.0.4-12 alpha, arm, i386, m68k, powerpc, sparc -10: Security upload: DSA 110, Buffer overflow -11: More security fixes: more complete patch for attribute buffer handling and a more correct path validation check to prevent ".." attacks. -12: Remove lpd backend for security reasons. erlang-base stable 49.1-10 all erlang-base updates 49.1-10.1 all erlang-erl stable 49.1-10 all erlang-erl updates 49.1-10.1 all erlang-java stable 49.1-10 all erlang-java updates 49.1-10.1 all erlang stable 49.1-10 i386, powerpc, sparc, source erlang updates 49.1-10.1 i386, powerpc, sparc, source Probably from the zlib fuckup * Non-maintainer upload by the Security Team * Apply patch for double-free bug to included copy of zlib ethereal stable 0.8.0-2potato alpha, arm, i386, m68k, powerpc, sparc, source ethereal updates 0.8.0-3potato alpha, arm, i386, m68k, powerpc, sparc, source Security upload (backports of 0.9.3) - DSA 130 - asn1.c: fixes zero-length g_malloc that could have caused problems. - asn1.c: fixes possible buffer overflow. horde stable 2:1.2.6-0.potato.4 all, source horde updates 2:1.2.6-0.potato.5 all, source imp stable 2:2.2.6-0.potato.4 all, source imp updates 2:2.2.6-0.potato.5 all, source DSA 126 qpopper stable 2.53-5 alpha, arm, i386, m68k, powerpc, sparc, source qpopper updates 2.53-7 alpha, arm, i386, m68k, powerpc, sparc, source Fix a bug that can cause lost data and DoS. (closes:#140784, #114300) This only affected qpoper-2.23 and before. Thank for Masaki Ikeda <masaki@orange.co.jp>'s patch. !!! Not yet verified !!! sudo stable 1.6.2p2-2.1 alpha, arm, i386, m68k, powerpc, sparc, source sudo updates 1.6.2p2-2.2 alpha, arm, i386, m68k, powerpc, sparc, source DSA 128 uucp stable 1.06.1-11potato2 alpha, arm, i386, m68k, powerpc, sparc, source uucp updates 1.06.1-11potato3 alpha, arm, i386, m68k, powerpc, sparc, source DSA 129 xsane stable 0.50-5 alpha, arm, i386, m68k, powerpc, sparc, source xsane updates 0.50-5.1 alpha, arm, i386, m68k, powerpc, sparc, source DSA 118 - insecure temporary files Further investigation --------------------- These packages need further investigation. One reason the package is listed here could be that I'm not yet convinced this package should go into stable, but don't want to reject it entirely at the moment. Another reason could be that released and updated architectures are not in sync yet. cfengine-doc stable 1.5.3-6 all cfengine-doc updates 1.5.3-7 all cfengine stable 1.5.3-6 arm, i386, m68k, powerpc, sparc, source cfengine stable 1.5.3-6.0.1 alpha cfengine updates 1.5.3-7 alpha, arm, i386, m68k, powerpc, sparc, source Changelog says: fix stat -> lstat in src/image.c, else a symlink might be followed if we are purging. This is security bug! Requires attention from the security team dns-browse stable 1.6-4 all, source dns-browse updates 1.6-5 all, source Changelog says: Fixed dns_tree so that it uses the HOME directory for cache files (Closes: #146591) This requires action by the Security Team freeamp-doc stable 2.0.6-2 all freeamp-doc updates 2.0.6-2.1 all freeamp stable 1.3.1-5 m68k, powerpc freeamp stable 2.0.6-1 arm freeamp stable 2.0.6-2 alpha, i386, sparc, source freeamp updates 2.0.6-2.1 i386, sparc, source libfreeamp-alsa stable 2.0.6-2 alpha, i386, sparc libfreeamp-alsa updates 2.0.6-2.1 i386, sparc libfreeamp-esound stable 2.0.6-1 arm libfreeamp-esound stable 2.0.6-2 alpha, i386, sparc libfreeamp-esound updates 2.0.6-2.1 i386, sparc * Non-maintainer upload by the security team * Apply patch for zlib double-free bug Looks like a leaf of the zlib disaster M-ISSING alpha: elmo -u -e -a source -v 2.0.6-2.1 freeamp listar-cgi stable 0.129a-2.potato1 alpha, arm, i386, m68k, powerpc, sparc listar-cgi updates 0.129a-2.potato2 alpha, arm, i386, m68k, sparc listar stable 0.129a-2.potato1 alpha, arm, i386, m68k, powerpc, sparc, source listar updates 0.129a-2.potato2 alpha, arm, i386, m68k, sparc, source DSA 123 - covers 0.129a-2.potato1, though. This one adds: * SECURITY: Applied argv security fixes from the Ecartis tree. MISSING powerpc photopc stable 2.1-1 powerpc photopc stable 2.8-3 arm photopc stable 3.02-2 alpha, i386, sparc, source photopc updates 3.02-2 powerpc Get versions in sync. MISSING arm unixcw stable 1.1a-2 arm unixcw stable 1.1a-5 alpha, i386, source unixcw updates 1.1a-5 powerpc, sparc Get package in sync through all architectures. MISSING arm vrweb stable 1.5-5 alpha, arm, i386, m68k, powerpc, sparc, source vrweb updates 1.5-5.1 alpha, i386, powerpc, sparc, source * Non-maintainer upload by the security team * Upgrade zlib to 1.1.3 and apply patch for double-free bug Cleaning bits from the zlib disaster wmtv stable 0.6.5-2.0.1 sparc wmtv stable 0.6.5-2potato2 alpha, arm, i386, m68k, powerpc, source Security Upload, DSA 108, symlink vulnerability Why the HELL got the sparc package lost? Looks like the file is there but the database doesn't know about it. MISSING sparc zlib-bin stable 1:1.1.3-5 alpha, arm, i386, powerpc, sparc zlib-bin stable 1:1.1.3-5.0.1 m68k zlib-bin updates 1:1.1.3-5.1 alpha, arm, i386, powerpc, sparc zlib1-altdev stable 1:1.1.3-3 sparc zlib1-altdev stable 1:1.1.3-5 i386 zlib1-altdev stable 1:1.1.3-5.0.1 m68k zlib1-altdev updates 1:1.1.3-5.1 i386 zlib1g-dev stable 1:1.1.3-5 alpha, arm, i386, powerpc, sparc zlib1g-dev stable 1:1.1.3-5.0.1 m68k zlib1g-dev updates 1:1.1.3-5.1 alpha, arm, i386, powerpc, sparc zlib1g stable 1:1.1.3-5 alpha, arm, i386, powerpc, sparc zlib1g stable 1:1.1.3-5.0.1 m68k zlib1g updates 1:1.1.3-5.1 alpha, arm, i386, powerpc, sparc zlib1 stable 1:1.1.3-3 sparc zlib1 stable 1:1.1.3-5 i386 zlib1 stable 1:1.1.3-5.0.1 m68k zlib1 updates 1:1.1.3-5.1 i386 zlib stable 1:1.1.3-5 source zlib updates 1:1.1.3-5.1 source DSA 122 - zlib strikes back MISSING m68k Rejected packages ----------------- These packages don't meet the requirements. dvi2ps-fontdata-a2n stable 1.0-5 all dvi2ps-fontdata-a2n updates 1.0-7 all dvi2ps-fontdata-bsr stable 1.0-5 all dvi2ps-fontdata-bsr updates 1.0-7 all dvi2ps-fontdata-ja stable 1.0-5 all dvi2ps-fontdata-ja updates 1.0-7 all dvi2ps-fontdata-n2a stable 1.0-5 all dvi2ps-fontdata-n2a updates 1.0-7 all dvi2ps-fontdata-ptexfake stable 1.0-5 all dvi2ps-fontdata-ptexfake updates 1.0-7 all dvi2ps-fontdata-rrs stable 1.0-5 all dvi2ps-fontdata-rrs updates 1.0-7 all dvi2ps-fontdata-rsp stable 1.0-5 all dvi2ps-fontdata-rsp updates 1.0-7 all dvi2ps-fontdata-tbank stable 1.0-5 all dvi2ps-fontdata-tbank updates 1.0-7 all dvi2ps-fontdata-three stable 1.0-5 all dvi2ps-fontdata-three updates 1.0-7 all Misplaced upload to 'stable unstable' efingerd stable 1.3 alpha, arm, i386, m68k, powerpc, sparc, source efingerd updates 1.3.2 alpha, arm, i386, m68k, powerpc, sparc, source Alleged security update, .1 and .2 are broken, though. Joey is discussion the issue with the maintainer. jtex-base stable 1.8-6 all, source jtex-base updates 1.8-7 all, source Misplaced upload, stable+unstable rsync stable 2.3.2-1.2 alpha, arm, i386, m68k, powerpc, sparc rsync updates 2.3.2-1.3 alpha, arm, i386, m68k, powerpc, sparc DSA 106 Broken packages, hence rejecting Disclaimer ---------- This list intends to help the ftp-masters releasing 2.2r7. They have the final power to accept a package or not. If you want to comment on this list, please send a mail to Martin Schulze <joey@debian.org>. -- Every use of Linux is a proper use of Linux. -- John "Maddog" Hall Please always Cc to me when replying to me on the lists.
Attachment:
pgpIhPCxhbEDH.pgp
Description: PGP signature