On Tue, Sep 13, 2005 at 02:55:40PM +0200, Martin Schulze wrote: > -------------------------------------------------------------------------- > Debian Security Advisory DSA 810-1 security@debian.org > http://www.debian.org/security/ Martin Schulze > September 13th, 2005 http://www.debian.org/security/faq > -------------------------------------------------------------------------- > > Package : mozilla > Vulnerability : several > Problem type : remote > Debian-specific: no > CVE IDs : CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 > CAN-2005-2263 CAN-2005-2265 CAN-2005-2266 CAN-2005-2268 > CAN-2005-2269 CAN-2005-2270 > BugTraq ID : 14242 > > Several problems have been discovered in Mozilla, the we browser of > the Mozilla suite. Since the usual praxis of backporting apparently > does not work for this package, this update is basically version > 1.7.10 with the version number rolled back, and hence still named > 1.7.8. OK. Can someone please explain to me how this even passes the sanity check? Why not just upload it with the correct version number? I am concerned that a version of Mozilla claiming to be an earlier will eventually break user-installed extensions. I know that this is typically not a concern for point releases. However, what happens when version 1.8 (or whatever the next version is) is uploaded and masquerades as 1.7.8? It will likely break some extensions. Some users will invariably complain to the Mozilla devs, and Debian looks kind of stupid because of it. There really has to be a better way. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto
Attachment:
pgpwMeZKR0c2E.pgp
Description: PGP signature