Re: stable vs. testing: same versions, different status

To: debian-security-tracker@lists.debian.org
Subject: Re: stable vs. testing: same versions, different status
From: Francesco Poli <frx@firenze.linux.it>
Date: Sat, 4 Jul 2009 17:33:08 +0200
Message-id: <[🔎] 20090704173308.ea286d6e.frx@firenze.linux.it>
In-reply-to: <[🔎] 20090702124045.f8247b84.michael.s.gilbert@gmail.com>
References: <20090601175439.c68332fa.frx@firenze.linux.it> <20090610202239.9c146aba.frx@firenze.linux.it> <20090610164038.5ad21105.michael.s.gilbert@gmail.com> <20090614232545.267cdf41.frx@firenze.linux.it> <8e2a98be0906191036x32b8bf28vdce8b4a2c1070ea8@mail.gmail.com> <20090619201718.f1873870.frx@firenze.linux.it> <20090619143152.50c5f20e.michael.s.gilbert@gmail.com> <20090620003528.d8498909.frx@firenze.linux.it> <20090621214425.3fb6b211.michael.s.gilbert@gmail.com> <20090628184817.7af4c7db.frx@firenze.linux.it> <8e2a98be0906291057g277700fdi67f4a46218b97baa@mail.gmail.com> <20090629201459.db92c4cd.frx@firenze.linux.it> <20090629143910.9ff76f9d.michael.s.gilbert@gmail.com> <20090630011244.1350bb13.frx@firenze.linux.it> <[🔎] 20090702124045.f8247b84.michael.s.gilbert@gmail.com>

On Thu, 2 Jul 2009 12:40:45 -0400 Michael S. Gilbert wrote:

> On Tue, 30 Jun 2009 01:12:44 +0200, Francesco Poli wrote:
> > How can we make sure that those Debian patches, as long as they are
> > still needed, are retained for new upstream versions, when they are
> > packaged?
> 
> this is mostly a matter of trusting the maintainer to do the requisite
> background work (applying patches from the old version if they are still
> relevant) when preparing a new upstream version.  this isn't
> policyified, but one would also hope that other maintainers/users are
> reviewing the changes to make sure regressions don't happen.

Fair enough.

> 
> > Moreover, how can we make sure that packages fixed in stable and
> > testing, but not in unstable, get fixed in unstable too, before a new
> > version migrates from unstable to testing?
> > Maybe by filing appropriate RC bugs?
> 
> yes, if unstable is missing a security fix that is in the testing
> or stable packages, then that is a regression, and a serious bug should
> be filed.

Perfect!
I was going to file an RC bug against linux-2.6 for the following 7
vulnerabilities that are fixed in testing, but not in unstable,
according to the security tracker:

http://security-tracker.debian.net/tracker/CVE-2009-1758
http://security-tracker.debian.net/tracker/CVE-2009-1633
http://security-tracker.debian.net/tracker/CVE-2009-1630
http://security-tracker.debian.net/tracker/CVE-2009-1338
http://security-tracker.debian.net/tracker/CVE-2009-1242
http://security-tracker.debian.net/tracker/CVE-2009-0835
http://security-tracker.debian.net/tracker/CVE-2009-0834

However, while reviewing the CVE descriptions on http://cve.mitre.org/,
I noticed that all of them seem to only affect Linux kernel upstream
versions < 2.6.30.

Could someone check that linux-2.6/2.6.30-1 (currently in unstable) is
really fixed w.r.t. to the above-mentioned CVEs and possibly update the
security tracker to reflect reality?

Thanks in advance.


-- 
 New location for my website! Update your bookmarks!
 http://www.inventati.org/frx
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgpJJp0abtzCB.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

References:
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Prev by Date: DSA-1825-1 vs. tracker
Next by Date: Re: stable vs. testing: same versions, different status
Previous by thread: Re: stable vs. testing: same versions, different status
Next by thread: Re: stable vs. testing: same versions, different status
Index(es):
- Date
- Thread