what's up with security?

[Joey Hess <joeyh@debian.org>]

If you read this week's Linux Weekly News 
(http://lwn.net/2000/0525/security.phtml), it would appear that Debian
is either perfect and has no security holes, or that unlike every other
major linux distribution, we are not fixing any. No security updates
have appeard on www.debian.org for 2 full months!

I don't think either is true. I think we're falling behind and not
keeping current on some security problems, and I think some fixes are
happening and are not getting advisories published.

What can we do to fix this? Isn't there supposed to be a security team
that tracks this stuff, does fixes if the maintainers are not resonsive,
and issues advisories?

(BTW, I'd like to know if debian is vulnerable to the following items
mentioned on LWN:

- New version of lynx, 2.8.3pre.5, appears to have actually been
  audited now, and has security fixes, though there are no details of
  them. Debian seems to have an older version.
- Mailman 2.0beta1 has some sort of "Security patch when using
  external archivers". Information on this one is scarce.
- Some xemacs fixes were reported: "A couple of problems in
  xemacs have been fixed, including the insecure creation of
  temporary files and snooping of other users' keystrokes." I remember
  seeing something about this on a debian list, but none of the xemacs
  packages in frozen seem to have been updated this year.
- A temp file race in openldap. I can't seem to find anything clear
  about what version it is fixed in, so I don't know if we are
  vulnerable.

I have already filed bugs on netscape, qpopper, and gnapster.)

-- 
see shy jo