Re: [SECURITY] [DSA 1266-1] New gnupg packages fix signature forgery
On Wed, Mar 14, 2007 at 02:03:42PM +0100, Frans Pop wrote:
> On Wednesday 14 March 2007 12:29, Steve Langasek wrote:
> > > However, etch still has 1.4.6-1, and no freeze exception has been
> > > requested.
> > But it has been granted.
> Note that this means gpgv-udeb is now out of sync between D-I initrds and
> udebs. I discussed this with aba on IRC yesterday and did not ack the
> unblock for that reason. I would have much preferred if this had gone
> through security.d.o, but in the end it is up to RM.
So at this point, the udebs we have in the prospective d-i rc2 initrds that
we know we want to get fixes in yet for the .debs are atk1.0, gnupg, and
udev. The gnupg bug is a security bug, so an alternate update path is
available; atk1.0 /might/ be ignorable on the grounds that the scope of the
bug is limited to users of screenreaders using a translation in
indeterminate circumstances; but the udev problem seems to be fairly
widespread in the hardware it would potentially affect, which I think tips
the balance in favor of stashing those udebs somewhere for the release and
allowing the updates into testing.
AJ, can the ftp team make libatk1.0-udeb 1.12.4-2, udev-udeb 0.105-3, and
gpgv-udeb 1.4.6-1, with sources, persistently available in a separate suite
to allow updates to go into testing? It would be ideal if we had this in
place by the 20th, so that at least anyone installing from
netboot/netinst/businesscard can get the updated atk1.0 so we have more
opportunity for feedback on anything that's gone wrong.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: