On Thu, 2 Jul 2009 12:40:45 -0400 Michael S. Gilbert wrote: > On Tue, 30 Jun 2009 01:12:44 +0200, Francesco Poli wrote: > > How can we make sure that those Debian patches, as long as they are > > still needed, are retained for new upstream versions, when they are > > packaged? > > this is mostly a matter of trusting the maintainer to do the requisite > background work (applying patches from the old version if they are still > relevant) when preparing a new upstream version. this isn't > policyified, but one would also hope that other maintainers/users are > reviewing the changes to make sure regressions don't happen. Fair enough. > > > Moreover, how can we make sure that packages fixed in stable and > > testing, but not in unstable, get fixed in unstable too, before a new > > version migrates from unstable to testing? > > Maybe by filing appropriate RC bugs? > > yes, if unstable is missing a security fix that is in the testing > or stable packages, then that is a regression, and a serious bug should > be filed. Perfect! I was going to file an RC bug against linux-2.6 for the following 7 vulnerabilities that are fixed in testing, but not in unstable, according to the security tracker: http://security-tracker.debian.net/tracker/CVE-2009-1758 http://security-tracker.debian.net/tracker/CVE-2009-1633 http://security-tracker.debian.net/tracker/CVE-2009-1630 http://security-tracker.debian.net/tracker/CVE-2009-1338 http://security-tracker.debian.net/tracker/CVE-2009-1242 http://security-tracker.debian.net/tracker/CVE-2009-0835 http://security-tracker.debian.net/tracker/CVE-2009-0834 However, while reviewing the CVE descriptions on http://cve.mitre.org/, I noticed that all of them seem to only affect Linux kernel upstream versions < 2.6.30. Could someone check that linux-2.6/2.6.30-1 (currently in unstable) is really fixed w.r.t. to the above-mentioned CVEs and possibly update the security tracker to reflect reality? Thanks in advance. -- New location for my website! Update your bookmarks! http://www.inventati.org/frx ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgpJJp0abtzCB.pgp
Description: PGP signature