[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?


I run reprepro to create a local mirror for lenny, lenny-security and
sid. Since I have it setup to put all 3 into a common pool I noticed
the following:

Package: uw-imap
Version: 7:2007b~dfsg-3
 b52118669abf422f766d14e3e2d69daa 1608456 uw-imap_2007b~dfsg.orig.tar.gz

Package: uw-imap
Version: 8:2007b~dfsg-1
 b52118669abf422f766d14e3e2d69daa 1608456 uw-imap_2007b~dfsg.orig.tar.gz

Package: uw-imap
Version: 7:2007b~dfsg-4+lenny1
 13dc7a81451e676f29ed840ba81b79ca 1617554 uw-imap_2007b~dfsg.orig.tar.gz

As you can see Lenny-Security has a different orig.tar.gz than
Lenny/Sid. This creates a problem for my reprepro as it detects a
size/md5sum mismatch, aborts and sends me an angry mail. But more
importantly this prevents the security update from entering Lenny:


Rejected: md5sum and/or size mismatch on existing copy of uw-imap_2007b~dfsg.orig.tar.gz.
Rejected: can not overwrite existing copy of 'uw-imap_2007b~dfsg.orig.tar.gz' already in the archive.

As it is the vulnerable version of uw-imap will remain in Lenny and
Lenny will have a known security bug that is totaly avoidable. From
the timestamp above you can see that this problem has been around over
a month.

Does anyone care?


Reply to: