Re: Preparation of Debian GNU/Linux 2.2r4

[Martin Schulze <joey@finlandia.infodrom.north.de>]

Jonathan McDowell wrote:
> On Sat, Oct 13, 2001 at 12:32:24PM +0200, Martin Schulze wrote:
>  
> > My requirements for packages to go into stable:
> > 
> >  1. The package fixes a security problem.  Quite helpful would be an
> >     advisory issued by the Security Team already.
>  ...
> > Accepted packages
> > -----------------
> > 
> > These packages should make it into stable.
> > 
> > apache      stable    1.3.9-13.2  alpha, arm, i386, m68k, powerpc, sparc
> > apache      testing   1.3.19-1    alpha, arm, i386, m68k, powerpc, sparc
> > apache      unstable  1.3.19-1    hurd-i386
> > apache      unstable  1.3.20-1.1  alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390, sh, sparc
> > apache      updates   1.3.9-14    alpha, arm, i386, m68k, powerpc, sparc
> > 
> > install apache_1.3.9-14_alpha.changes
> > install apache_1.3.9-14_arm.changes
> > install apache_1.3.9-14_i386.changes
> > install apache_1.3.9-14_m68k.changes
> > install apache_1.3.9-14_powerpc.changes
> > install apache_1.3.9-14_sparc.changes
> > 
> > 	* Non-maintainer upload on behalf of Simon Huggins <huggie@earth.li>
> > 	* Applied patch from Martin Kraemer to fix mod_negotiation bug to prevent
> > 	  revealing of directory contents.
> > 
> > 	This looks like a half security update, right?
> 
> I'm not sure what you mean by "half". It fixes a known security problem
> with Apache and has had an advisary issued by the security team (and is
> available from security.debian.org). I strongly believe it should be
> included in 2.2r4.

It fixes the security problem, but due to a bug it won't reload, so
it's rather useless and requires a correction and a new upload.
The person who made released DSA 067-1 knows about it.

Regards,

	Joey

-- 
The good thing about standards is that there are so many to choose from.
	-- Andrew S. Tanenbaum