On Mon, 8 Jun 2009 17:09:54 -0400 Michael S. Gilbert wrote: > On Mon, 1 Jun 2009 17:54:39 +0200, Francesco Poli wrote: > > There are vulnerabilities in the tracker that show up as fixed in > > lenny, and as unfixed in squeeze, despite the package version is the > > *same* in the two suites. > > fixed. Thank you: this one seems to have been left over http://security-tracker.debian.net/tracker/CVE-2009-0787 [...] > > Moreover, it is my understanding that a security update for stable is > > automatically used for testing too, whenever testing does not have any > > newer version of the package. > > this is never the case. 2.6.26-15lenny3 from stable-security has and > will not migrate to testing, so these issues are still present in > squeeze. Ah, I thought this stable-security -> testing-security migration was already implemented. Maybe having this feature could be useful! What do others think? BTW, when will testing security support start again? Back on February, I was told to wait for some 2 months... http://lists.debian.org/debian-security-tracker/2009/02/msg00011.html > > if you are running testing at this point, you should probably be using > the kernel from stable-security to make sure you are protected against > the latest known vulnerabilities. I think this should happen automatically. This is a good reason to implement an automatic stable-security -> testing-security migration mechanism, that is triggered whenever the package version in testing (and the package version in testing-security, if any) is older than the stable-security one, as suggested above. An example where this mechanism would benefit testing is: http://security-tracker.debian.net/tracker/CVE-2009-0688 Source Package Release Version Status cyrus-sasl2 (PTS) etch 2.1.22.dfsg1-8 vulnerable etch (security) 2.1.22.dfsg1-8+etch1 fixed lenny, squeeze 2.1.22.dfsg1-23 vulnerable lenny (security) 2.1.22.dfsg1-23+lenny1 fixed sid 2.1.23.dfsg1-1 fixed I think that cyrus-sasl2/2.1.22.dfsg1-23+lenny1 could be used for "squeeze (security)" too. Is that right? -- New location for my website! Update your bookmarks! http://www.inventati.org/frx ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgpSnJy1uJQNs.pgp
Description: PGP signature