Binary NMU requested for mailman in sarge [was: mailman 2.1.5-8sarge3: screwup between security and maintainer upload]
On Wed, Sep 06, 2006 at 12:03:34PM +0200, Lionel Elie Mamane wrote:
> There seems to have been a screw-up in handling of mailman security
> and stable updates: There are two different mailman packages in Debian
> with version number 2.1.5-8sarge3.
> -8sarge3 maintainer update (that got frozen waiting for -8sarge2 to
> happen in order not to conflict with it) to fix bug #358575, a
> severity critical bug.
> -8sarge3 security update to fix:
> formt string vulnerability [src/common.c, debian/patches/72_CVE-2006-2191.dpatch]
> The situation right now:
> - sarge r3 contains mailman 2.1.5-8sarge3, but some architectures
> have the security update (such as i386) and others have the
> maintainer update (such as source, sparc and alpha).
> Thus all architectures are screwed up in one way or the other.
> Stable release team, please react accordingly; you may for example
> do a binary sourceless NMU for the architectures that have -8sarge3
> the security update so that they all have -8sarge3 the maintainer
I have now heard about what the security problem addressed in -8sarge3
the security update is. It is believed not to be exploitable. I thus
now officially request a binary NMU to replace -8sarge3 the security
update by -8sarge3 the maintainer update on the arches that have
-8sarge3 the security update.