[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Binary NMU requested for mailman in sarge [was: mailman 2.1.5-8sarge3: screwup between security and maintainer upload]

On Wed, Sep 06, 2006 at 12:03:34PM +0200, Lionel Elie Mamane wrote:

> There seems to have been a screw-up in handling of mailman security
> and stable updates: There are two different mailman packages in Debian
> with version number 2.1.5-8sarge3.

>  -8sarge3 maintainer update (that got frozen waiting for -8sarge2 to
>   happen in order not to conflict with it) to fix bug #358575, a
>   severity critical bug.

>  -8sarge3 security update to fix:
>   formt string vulnerability [src/common.c, debian/patches/72_CVE-2006-2191.dpatch]

> The situation right now:

>  - sarge r3 contains mailman 2.1.5-8sarge3, but some architectures
>    have the security update (such as i386) and others have the
>    maintainer update (such as source, sparc and alpha).

>    Thus all architectures are screwed up in one way or the other.

> Stable release team, please react accordingly; you may for example
> do a binary sourceless NMU for the architectures that have -8sarge3
> the security update so that they all have -8sarge3 the maintainer
> update.

I have now heard about what the security problem addressed in -8sarge3
the security update is. It is believed not to be exploitable. I thus
now officially request a binary NMU to replace -8sarge3 the security
update by -8sarge3 the maintainer update on the arches that have
-8sarge3 the security update.


Reply to: