[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dist stable update for #496412



On Sat, Oct 04 2008, Nico Golde wrote:

> an insecure temporary file creation was reported to the dist some time ago.
> This is Debian bug #496412.

> Unfortunately the vulnerability is not important enough to get it
> fixed via regular security update in Debian stable. It does not
> warrant a DSA.

> However it would be nice if this could get fixed via a regular point
> update[0].  Please contact the release team for this.

> This is an automatically generated mail, in case you are already
> working on an upgrade this is of course pointless.

        Umm. The fixed package is already in testing and unstable, so
 with the new release, stable should be covered.

  1) The package in testing has had many, many unrelated changes,
     including a new set of upstream releases, so would not meet the
     stable release criteria.
  2) The package has a low popularity contest ranking.
  3) Uploading packages to proposed-updates for security is deprecated,
     if it were important enough, there would have been the normal
     security update which would have taken the fixes back to stable. 
  4) The fix will have to be back ported, since we cant just take the
     testing version of the package back.

        On the other hand, back-porting the fix will probably be pretty
 easy, though still a chore. Since this is an automatically generated
 request, I'd like the input of a human before I undertake the task --
 is this report, which was not deemed important enough to be called a
 security risk, Worth the effort? Will we release Lenny before the next
 point release?

        manoj
-- 
"The first step to getting the things you want out of life is this:
Decide what you want." -Ben Stein
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


Reply to: