[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security updates without DSA?

Dear .debs,

I recently wanted to apply security updates to a machine I'd installed
from woody pre6 CDs, hardened and upgraded to woody proper.  That is,
the machine is up-to-date with respect to

  deb ftp://ftp.debian.org/debian stable main
  deb ftp://non-us.debian.org/debian-non-US stable/non-US main

and iptables drops everything but DNS to my provider's DNS servers and
HTTP (drops incoming connection requests).
# There's some more to the hardening bit, but that's not relevant.

Before applying the upgrades I checked whether there was a DSA for the
packages that were going to be upgraded.  Surprise, there were several
that did not (seem to) have a corresponding DSA.

Question: Is that normal and OK?

Packages in question are, amongst others, fetchmail-ssl, kmail, kppp,
korn, kit ksirc and several other KDE packages.  Since there are DSA's
for openssl and kdelibs, my guess is that the aforementioned packages
are "just" recompiles against the fixed libraries.  Should there not
be DSA's for that as well?
  After all, the package seems to be affected by the security issue to
some extent (otherwise recompilation is rather pointless).

Olaf Meeuwissen                            EPSON KOWA Corporation, ECS
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2               -- I hack, therefore I am --                 BOFH

Reply to: