[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Preparation of Debian GNU/Linux 2.2r7



Preparation of Debian GNU/Linux 2.2r7
=====================================

An up-to-date version is at http://master.debian.org/~joey/2.2r7/

I am preparing another revision of the stable Debian distribution (r7)
and will infrequently send reports so people can actually comment on
it and intervene whenever this is required.

The plan is to get this revision of Debian GNU/Linux 2.2 (codename
`potato') out at the beginning of July this year (2002).  James Troup
still has to give the final approval for each package since he is the
ftpmaster involved with stable revisions.  However, I will try to make
his work as easy as possible in the hope to get the next revision out
properly.  Thanks for your attention.

This may also be the last version of the 2.2 series, depending on how
well the woody release is making progress.

My requirements for packages to go into stable:

 1. The package fixes a security problem.  An advisory by our own
    Security Team would be quite helpful.  I really should make this a
    requirement for security uploads.

 2. The package fixes a critical bug which can lead into data loss,
    data corruption, or an overly broken system, or the package is
    broken or not usable (anymore).

 3. The stable version of the package is not installable at all due to
    broken or unmet dependencies or broken installation scripts.

 4. All released architectures have to be in sync.

Packages, which I will most probably reject:

  . Package which fix non-critical bugs.

  . Misplaced uploads, i.e. packages that were uploaded to 'stable
    unstable' or `frozen unstable'.

  . Packages for which its binary packages are out of sync with regard
    to all supported architectures in the stable distribution.

  . Binary packages for which the source got lost somehow.

Accepted packages
-----------------

These packages should be installed into stable and be part of the next
revision.

analog      stable    2:5.22-0potato3  alpha, arm, i386, m68k, powerpc, sparc, source
analog      updates   2:5.22-0potato4  alpha, arm, i386, m68k, powerpc, sparc, source

	DSA 125, backport of 5.22 for security reasons.  The advisory
	mentions version 5.22-0potato1, though.

apache-common  stable    1.3.9-14    alpha, arm, i386, m68k, powerpc, sparc
apache-common  updates   1.3.9-14.1  alpha, arm, i386, m68k, powerpc, sparc
apache-dev     stable    1.3.9-14    alpha, arm, i386, m68k, powerpc, sparc
apache-dev     updates   1.3.9-14.1  alpha, arm, i386, m68k, powerpc, sparc
apache-doc     stable    1.3.9-14    all
apache-doc     updates   1.3.9-14.1  all
apache         stable    1.3.9-14    alpha, arm, i386, m68k, powerpc, sparc, source
apache         updates   1.3.9-14.1  alpha, arm, i386, m68k, powerpc, sparc, source

	DSA 131

apache-perl  stable    1.3.9-13.1-1.21.20000309-1  alpha, arm, i386, m68k, powerpc, sparc, source
apache-perl  updates   1.3.9-14.1-1.21.20000309-1  alpha, arm, i386, m68k, powerpc, sparc, source

	DSA 133

apache-ssl  updates   1.3.9.13-4.1  alpha, arm, i386, m68k, powerpc, sparc, source

	DSA 132

cupsys-bsd      stable    1.0.4-9     alpha, arm, i386, m68k, powerpc, sparc
cupsys-bsd      updates   1.0.4-12    alpha, arm, i386, m68k, powerpc, sparc
cupsys          stable    1.0.4-9     alpha, arm, i386, m68k, powerpc, sparc, source
cupsys          updates   1.0.4-12    alpha, arm, i386, m68k, powerpc, sparc, source
libcupsys1-dev  stable    1.0.4-9     alpha, arm, i386, m68k, powerpc, sparc
libcupsys1-dev  updates   1.0.4-12    alpha, arm, i386, m68k, powerpc, sparc
libcupsys1      stable    1.0.4-9     alpha, arm, i386, m68k, powerpc, sparc
libcupsys1      updates   1.0.4-12    alpha, arm, i386, m68k, powerpc, sparc

	-10: Security upload: DSA 110, Buffer overflow

	-11: More security fixes: more complete patch for attribute
	buffer handling and a more correct path validation check to
	prevent ".." attacks.

	-12: Remove lpd backend for security reasons.

erlang-base  stable    49.1-10     all
erlang-base  updates   49.1-10.1   all
erlang-erl   stable    49.1-10     all
erlang-erl   updates   49.1-10.1   all
erlang-java  stable    49.1-10     all
erlang-java  updates   49.1-10.1   all
erlang       stable    49.1-10     i386, powerpc, sparc, source
erlang       updates   49.1-10.1   i386, powerpc, sparc, source

	Probably from the zlib fuckup

	* Non-maintainer upload by the Security Team
	* Apply patch for double-free bug to included copy of zlib

ethereal    stable    0.8.0-2potato  alpha, arm, i386, m68k, powerpc, sparc, source
ethereal    updates   0.8.0-3potato  alpha, arm, i386, m68k, powerpc, sparc, source

	Security upload (backports of 0.9.3) - DSA 130

	- asn1.c: fixes zero-length g_malloc that could have caused problems.

	- asn1.c: fixes possible buffer overflow.

horde       stable    2:1.2.6-0.potato.4  all, source
horde       updates   2:1.2.6-0.potato.5  all, source
imp         stable    2:2.2.6-0.potato.4  all, source
imp         updates   2:2.2.6-0.potato.5  all, source

	DSA 126

qpopper     stable    2.53-5      alpha, arm, i386, m68k, powerpc, sparc, source
qpopper     updates   2.53-7      alpha, arm, i386, m68k, powerpc, sparc, source

	Fix a bug that can cause lost data and DoS. (closes:#140784,
	#114300) This only affected qpoper-2.23 and before.  Thank for
	Masaki Ikeda <masaki@orange.co.jp>'s patch.

	!!! Not yet verified !!!

sudo        stable    1.6.2p2-2.1  alpha, arm, i386, m68k, powerpc, sparc, source
sudo        updates   1.6.2p2-2.2  alpha, arm, i386, m68k, powerpc, sparc, source

	DSA 128

uucp        stable    1.06.1-11potato2  alpha, arm, i386, m68k, powerpc, sparc, source
uucp        updates   1.06.1-11potato3  alpha, arm, i386, m68k, powerpc, sparc, source

	DSA 129

xsane          stable    0.50-5      alpha, arm, i386, m68k, powerpc, sparc, source
xsane          updates   0.50-5.1    alpha, arm, i386, m68k, powerpc, sparc, source

	DSA 118 - insecure temporary files


Further investigation
---------------------

These packages need further investigation.  One reason the package is
listed here could be that I'm not yet convinced this package should go
into stable, but don't want to reject it entirely at the moment.
Another reason could be that released and updated architectures are
not in sync yet.

cfengine-doc  stable    1.5.3-6      all
cfengine-doc  updates   1.5.3-7      all
cfengine      stable    1.5.3-6      arm, i386, m68k, powerpc, sparc, source
cfengine      stable    1.5.3-6.0.1  alpha
cfengine      updates   1.5.3-7      alpha, arm, i386, m68k, powerpc, sparc, source

	Changelog says: fix stat -> lstat in src/image.c, else a
	symlink might be followed if we are purging.  This is security
	bug!

	Requires attention from the security team

dns-browse  stable    1.6-4       all, source
dns-browse  updates   1.6-5       all, source

	Changelog says: Fixed dns_tree so that it uses the HOME
	directory for cache files (Closes: #146591)

	This requires action by the Security Team

freeamp-doc        stable    2.0.6-2     all
freeamp-doc        updates   2.0.6-2.1   all
freeamp            stable    1.3.1-5     m68k, powerpc
freeamp            stable    2.0.6-1     arm
freeamp            stable    2.0.6-2     alpha, i386, sparc, source
freeamp            updates   2.0.6-2.1   i386, sparc, source
libfreeamp-alsa    stable    2.0.6-2     alpha, i386, sparc
libfreeamp-alsa    updates   2.0.6-2.1   i386, sparc
libfreeamp-esound  stable    2.0.6-1     arm
libfreeamp-esound  stable    2.0.6-2     alpha, i386, sparc
libfreeamp-esound  updates   2.0.6-2.1   i386, sparc

	* Non-maintainer upload by the security team
	* Apply patch for zlib double-free bug

	Looks like a leaf of the zlib disaster

	M-ISSING alpha: elmo -u -e -a source -v 2.0.6-2.1 freeamp

listar-cgi  stable    0.129a-2.potato1  alpha, arm, i386, m68k, powerpc, sparc
listar-cgi  updates   0.129a-2.potato2  alpha, arm, i386, m68k, sparc
listar      stable    0.129a-2.potato1  alpha, arm, i386, m68k, powerpc, sparc, source
listar      updates   0.129a-2.potato2  alpha, arm, i386, m68k, sparc, source

	DSA 123 - covers 0.129a-2.potato1, though.  This one adds:

	* SECURITY: Applied argv security fixes from the Ecartis tree.

	MISSING powerpc

photopc     stable    2.1-1       powerpc
photopc     stable    2.8-3       arm
photopc     stable    3.02-2      alpha, i386, sparc, source
photopc     updates   3.02-2      powerpc

	Get versions in sync.

	MISSING arm

unixcw      stable    1.1a-2      arm
unixcw      stable    1.1a-5      alpha, i386, source
unixcw      updates   1.1a-5      powerpc, sparc

	Get package in sync through all architectures.

	MISSING arm

vrweb       stable    1.5-5       alpha, arm, i386, m68k, powerpc, sparc, source
vrweb       updates   1.5-5.1     alpha, i386, powerpc, sparc, source

	* Non-maintainer upload by the security team
	* Upgrade zlib to 1.1.3 and apply patch for double-free bug

	Cleaning bits from the zlib disaster

wmtv        stable    0.6.5-2.0.1     sparc
wmtv        stable    0.6.5-2potato2  alpha, arm, i386, m68k, powerpc, source

	Security Upload, DSA 108, symlink vulnerability

	Why the HELL got the sparc package lost?

	Looks like the file is there but the database doesn't know about it.

	MISSING sparc

zlib-bin      stable    1:1.1.3-5      alpha, arm, i386, powerpc, sparc
zlib-bin      stable    1:1.1.3-5.0.1  m68k
zlib-bin      updates   1:1.1.3-5.1    alpha, arm, i386, powerpc, sparc
zlib1-altdev  stable    1:1.1.3-3      sparc
zlib1-altdev  stable    1:1.1.3-5      i386
zlib1-altdev  stable    1:1.1.3-5.0.1  m68k
zlib1-altdev  updates   1:1.1.3-5.1    i386
zlib1g-dev    stable    1:1.1.3-5      alpha, arm, i386, powerpc, sparc
zlib1g-dev    stable    1:1.1.3-5.0.1  m68k
zlib1g-dev    updates   1:1.1.3-5.1    alpha, arm, i386, powerpc, sparc
zlib1g        stable    1:1.1.3-5      alpha, arm, i386, powerpc, sparc
zlib1g        stable    1:1.1.3-5.0.1  m68k
zlib1g        updates   1:1.1.3-5.1    alpha, arm, i386, powerpc, sparc
zlib1         stable    1:1.1.3-3      sparc
zlib1         stable    1:1.1.3-5      i386
zlib1         stable    1:1.1.3-5.0.1  m68k
zlib1         updates   1:1.1.3-5.1    i386
zlib          stable    1:1.1.3-5      source
zlib          updates   1:1.1.3-5.1    source

	DSA 122 - zlib strikes back

	MISSING m68k


Rejected packages
-----------------

These packages don't meet the requirements.

dvi2ps-fontdata-a2n       stable    1.0-5       all
dvi2ps-fontdata-a2n       updates   1.0-7       all
dvi2ps-fontdata-bsr       stable    1.0-5       all
dvi2ps-fontdata-bsr       updates   1.0-7       all
dvi2ps-fontdata-ja        stable    1.0-5       all
dvi2ps-fontdata-ja        updates   1.0-7       all
dvi2ps-fontdata-n2a       stable    1.0-5       all
dvi2ps-fontdata-n2a       updates   1.0-7       all
dvi2ps-fontdata-ptexfake  stable    1.0-5       all
dvi2ps-fontdata-ptexfake  updates   1.0-7       all
dvi2ps-fontdata-rrs       stable    1.0-5       all
dvi2ps-fontdata-rrs       updates   1.0-7       all
dvi2ps-fontdata-rsp       stable    1.0-5       all
dvi2ps-fontdata-rsp       updates   1.0-7       all
dvi2ps-fontdata-tbank     stable    1.0-5       all
dvi2ps-fontdata-tbank     updates   1.0-7       all
dvi2ps-fontdata-three     stable    1.0-5       all
dvi2ps-fontdata-three     updates   1.0-7       all

       Misplaced upload to 'stable unstable'

efingerd    stable    1.3         alpha, arm, i386, m68k, powerpc, sparc, source
efingerd    updates   1.3.2       alpha, arm, i386, m68k, powerpc, sparc, source

	Alleged security update, .1 and .2 are broken, though.

	Joey is discussion the issue with the maintainer.

jtex-base   stable    1.8-6       all, source
jtex-base   updates   1.8-7       all, source

	Misplaced upload, stable+unstable

rsync       stable    2.3.2-1.2   alpha, arm, i386, m68k, powerpc, sparc
rsync       updates   2.3.2-1.3   alpha, arm, i386, m68k, powerpc, sparc

	DSA 106

	Broken packages, hence rejecting


Disclaimer
----------

This list intends to help the ftp-masters releasing 2.2r7.  They have the
final power to accept a package or not.  If you want to comment on
this list, please send a mail to Martin Schulze <joey@debian.org>.


-- 
Every use of Linux is a proper use of Linux.  -- John "Maddog" Hall

Please always Cc to me when replying to me on the lists.

Attachment: pgpIhPCxhbEDH.pgp
Description: PGP signature


Reply to: