Hi Michael, hi LTS team, On Do 02 Jul 2015 11:17:41 CEST, Michael Vogt wrote:
Package : unattended-upgrades Version : 0.62.2+squeeze1 CVE ID : CVE-2015-1330 Bug : LP: #1466380 It was discovered that unattended-upgrades, a script for automatic installation of security upgrades, did not properly authenticate downloaded packages when the force-confold or force-confnew dpkg options were enabled via the DPkg::Options::* apt configuration. We recommend that you upgrade your unattended-upgrades package.
I just saw Michael's DLA announcement and realize that I have used the same DLA for pykerberos today.
Such an issue occurs, if people use bin/genDLA (from secure-testing repo), but don't push the resulting changes back to the secure-testing SVN.
(@Michael: Don't feel bad about this. It is a weakness in the workflow (sorry for saying that). I will check documentation later, to make sure it is very obvious that DLA mails may only be sent if that DLA number has been requested previously and also checked into SVN. I suppose that you have not pushed to SVN _before_ sending your DLA mail, right? As it seems, you haven't pushed the DLA entry in secure-testing at all, so far, right?).
This has happened before and I feel we need to get this DLA requesting/mail-sending system more fool proof, especially for DDs/DMs not directly involved with the LTS team and not so accustomed to the LTS team's workflow.
The only way I can think of in terms of making this more fool proof, I guess, is by rejecting mails to debian-lts-announce if
o a used DLA has not been reserved via the secure-testing SVN repo o the DLA has been reserved in the SVN repo, but for another package Feedback, comments? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: firstname.lastname@example.org, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Description: Digitale PGP-Signatur