[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?



Ccing maintainer.

Hi,
* Goswin von Brederlow <goswin-v-b@web.de> [2008-12-14 20:14]:
> I run reprepro to create a local mirror for lenny, lenny-security and
> sid. Since I have it setup to put all 3 into a common pool I noticed
> the following:
[...] 
> As you can see Lenny-Security has a different orig.tar.gz than
> Lenny/Sid. This creates a problem for my reprepro as it detects a
> size/md5sum mismatch, aborts and sends me an angry mail. But more
> importantly this prevents the security update from entering Lenny:
> 
> 20081106164710|process-unchecked|rejected|uw-imap_2007b~dfsg-4+lenny1_amd64.changes
> 
> Rejected: md5sum and/or size mismatch on existing copy of uw-imap_2007b~dfsg.orig.tar.gz.
> Rejected: can not overwrite existing copy of 'uw-imap_2007b~dfsg.orig.tar.gz' already in the archive.

This update was unfortunately a bit problematic, to make the 
story short uw-imap was uploaded as 7:2007b~dfsg-4 but we 
then requested to upload this as -3+lenny1 to mark it as a 
security update and to prevent broken updates in case 
7:2007d~dfsg-1 gets rejected from NEW (in -3+lenny1 is also 
the upstream tarball change).

Unfortunately -3+lenny1 was rejected on klecker because the 
orig.tar.gz of the old build was still lying around in the 
queue. As we can not use the same version twice on klecker 
-4+lenny1 was uploaded as a rebuild of -3+lenny1 and the 
upstream tarball change was overlooked in that chaos.

> As it is the vulnerable version of uw-imap will remain in Lenny and
> Lenny will have a known security bug that is totaly avoidable. From
> the timestamp above you can see that this problem has been around over
> a month.
> 
> Does anyone care?

Yes.

I see two possibilities here, one option is to get 
8:2007b~dfsg-1 unblocked and let this migrate to lenny 
(there is some weird SONAME change though) or to reupload a 
+lenny2 version to testing-security again.

Opinions?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpZ5CzuE0oG6.pgp
Description: PGP signature


Reply to: