[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)

On Mon, May 29, 2000 at 12:31:01AM -0700, Joey Hess wrote:

> 3. To ensure that security fixes are available for all platforms,
>    including those the maintainer does not have easy access to.

this is NOT occuring, examples:

i386: diff updated to version 2.7-21 via security.debian.org

powerpc:  current version of diff still 2.7-20

changelog for diff version 2.7-21:

diff (2.7-21) frozen unstable; urgency=high

  * Avoid race condition in sdiff.c (edit) when creating temporary file.
    Patch by the upstream maintainer, Paul Eggert <eggert@twinsun.com>.
    Thanks to Colin Phipps <crp22@cam.ac.uk> for the report (Closes: #59730).

next a more severe security flaw in qpopper:

i386: current version of qpopper: 2.53-5
powerpc:  current version of qpopper: 2.53-3

changelog for qpopper:

qpopper (2.53-5) frozen unstable; urgency=high

  * Fix YET ANOTHER security hole that makes it possible to get a
    shell, even with "group mail" priviliges. (closes: #64602, #64649, #64627).
    See http://www.securityfocus.com/vdb/bottom.html?vid=1242
    See also http://www.digibel.org/~b0f/advisors/b0f5-Qpopper.txt

 -- Miquel van Smoorenburg <miquels@cistron.nl>  Thu, 25 May 2000 14:53:36 +0200

qpopper (2.53-4) frozen unstable; urgency=high

   * Fix security hole (fixes: #63730). Did not use the patch as supplied
     on bugtraq, but fixed it myself. See debian/fgets1023.patch
   * [snip]

so for qpopper we now not just one but *two* security bugs NOT fixed
for all platforms. 

> I don't know about 3. 4 seemed to be at least partly dealt with by the
> maintainers of the changelog entires I posted, and wasn't even necessary
> for all of them.

see above.

also note that netscape on powerpc is still at version 4.6, and there
is a security hole fixed in version 4.73. 4.73 must be packaged for
powerpc too.


Ethan Benson

Attachment: pgpWXHwoEJWTq.pgp
Description: PGP signature

Reply to: