On Mon, May 29, 2000 at 12:31:01AM -0700, Joey Hess wrote:
[snip]
> 3. To ensure that security fixes are available for all platforms,
> including those the maintainer does not have easy access to.
this is NOT occuring, examples:
i386: diff updated to version 2.7-21 via security.debian.org
potato/updates
powerpc: current version of diff still 2.7-20
changelog for diff version 2.7-21:
diff (2.7-21) frozen unstable; urgency=high
* Avoid race condition in sdiff.c (edit) when creating temporary file.
Patch by the upstream maintainer, Paul Eggert <eggert@twinsun.com>.
Thanks to Colin Phipps <crp22@cam.ac.uk> for the report (Closes: #59730).
next a more severe security flaw in qpopper:
i386: current version of qpopper: 2.53-5
powerpc: current version of qpopper: 2.53-3
changelog for qpopper:
qpopper (2.53-5) frozen unstable; urgency=high
* Fix YET ANOTHER security hole that makes it possible to get a
shell, even with "group mail" priviliges. (closes: #64602, #64649, #64627).
See http://www.securityfocus.com/vdb/bottom.html?vid=1242
See also http://www.digibel.org/~b0f/advisors/b0f5-Qpopper.txt
-- Miquel van Smoorenburg <miquels@cistron.nl> Thu, 25 May 2000 14:53:36 +0200
qpopper (2.53-4) frozen unstable; urgency=high
* Fix security hole (fixes: #63730). Did not use the patch as supplied
on bugtraq, but fixed it myself. See debian/fgets1023.patch
* [snip]
so for qpopper we now not just one but *two* security bugs NOT fixed
for all platforms.
> I don't know about 3. 4 seemed to be at least partly dealt with by the
> maintainers of the changelog entires I posted, and wasn't even necessary
> for all of them.
see above.
also note that netscape on powerpc is still at version 4.6, and there
is a security hole fixed in version 4.73. 4.73 must be packaged for
powerpc too.
[snip]
--
Ethan Benson
http://www.alaska.net/~erbenson/
Attachment:
pgpWXHwoEJWTq.pgp
Description: PGP signature