Re: stable vs. testing: same versions, different status

To: debian-security-tracker@lists.debian.org
Subject: Re: stable vs. testing: same versions, different status
From: Francesco Poli <frx@firenze.linux.it>
Date: Tue, 9 Jun 2009 00:12:18 +0200
Message-id: <20090609001218.be54c9d6.frx@firenze.linux.it>
In-reply-to: <20090608170954.5a064c60.michael.s.gilbert@gmail.com>
References: <20090601175439.c68332fa.frx@firenze.linux.it> <20090608170954.5a064c60.michael.s.gilbert@gmail.com>

On Mon, 8 Jun 2009 17:09:54 -0400 Michael S. Gilbert wrote:

> On Mon, 1 Jun 2009 17:54:39 +0200, Francesco Poli wrote:
> > There are vulnerabilities in the tracker that show up as fixed in
> > lenny, and as unfixed in squeeze, despite the package version is the
> > *same* in the two suites.
> 
> fixed.

Thank you: this one seems to have been left over
http://security-tracker.debian.net/tracker/CVE-2009-0787

[...]
> > Moreover, it is my understanding that a security update for stable is
> > automatically used for testing too, whenever testing does not have any
> > newer version of the package.
> 
> this is never the case.  2.6.26-15lenny3 from stable-security has and
> will not migrate to testing, so these issues are still present in
> squeeze.

Ah, I thought this stable-security -> testing-security migration was
already implemented.
Maybe having this feature could be useful!
What do others think?

BTW, when will testing security support start again?
Back on February, I was told to wait for some 2 months...
http://lists.debian.org/debian-security-tracker/2009/02/msg00011.html

> 
> if you are running testing at this point, you should probably be using
> the kernel from stable-security to make sure you are protected against
> the latest known vulnerabilities.

I think this should happen automatically.

This is a good reason to implement an automatic stable-security ->
testing-security migration mechanism, that is triggered whenever the
package version in testing (and the package version in
testing-security, if any) is older than the stable-security one,
as suggested above.

An example where this mechanism would benefit testing is:
http://security-tracker.debian.net/tracker/CVE-2009-0688

Source Package       Release            Version                 Status
cyrus-sasl2 (PTS)    etch               2.1.22.dfsg1-8          vulnerable
                     etch (security)    2.1.22.dfsg1-8+etch1    fixed
                     lenny, squeeze     2.1.22.dfsg1-23         vulnerable
                     lenny (security)   2.1.22.dfsg1-23+lenny1  fixed
                     sid                2.1.23.dfsg1-1          fixed

I think that cyrus-sasl2/2.1.22.dfsg1-23+lenny1 could be used for
"squeeze (security)" too.
Is that right?

-- 
 New location for my website! Update your bookmarks!
 http://www.inventati.org/frx
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgpSnJy1uJQNs.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Nico Golde <nico@ngolde.de>

References:
- stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Prev by Date: Re: stable vs. testing: same versions, different status
Next by Date: Re: stable vs. testing: same versions, different status
Previous by thread: Re: stable vs. testing: same versions, different status
Next by thread: Re: stable vs. testing: same versions, different status
Index(es):
- Date
- Thread