[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security updates without DSA?

On Mon, Sep 30, 2002 at 10:57:18AM +0900, Olaf Meeuwissen wrote:

> Olaf Meeuwissen <olaf@epkowa.co.jp> (that's me!) writes:
> > Dear .debs,
> > 
> > I recently wanted to apply security updates to a machine I'd installed
> > from woody pre6 CDs, hardened and upgraded to woody proper.  [...]
> > 
> > Before applying the upgrades I checked whether there was a DSA for the
> > packages that were going to be upgraded.  Surprise, there were several
> > that did not (seem to) have a corresponding DSA.
> > 
> > Question: Is that normal and OK?

This is normal in general, as the stable distribution is updated from time
to time by point releases, which fix critical non-security bugs.  However,
woody has not received such an update as yet.

> I looked into this a bit more and from the changelogs it seems that it
> really concerned security upgrades.  In the case of fetchmail-ssl, the
> woody release shipped with 5.9.11-5, the upgrade is 5.9.11-6 and the
> changelog says:

Why do you say that woody released with 5.9.11-5?  I believe woody released
with 5.9.11-6. Perhaps you did not upgrade all packages to the final woody
versions, and you had an older version from 'testing'?

> For the KDE packages I found out that they all come from the same
> source package: kdenetwork.  The woody release shipped 4:2.2.2-14, the
> upgrade is 4:2.2.2-14.0woody1 and the changelog says:
> [...]

Likewise here.  

> So we have one maintainer and one security team upgrade for the woody
> distribution that have never been publicly announced.  From the looks of
> it, it would seem that these upgrades somehow got lost (them being
> upgrades to *testing*).  I am aware of the fact that security for the
> testing distribution is non-existent, but as woody is now stable, I'd say
> these are security issues for the stable distribution and should probably
> be announced (even if it's a bit late).

These look like security updates which were made to woody when it was not
yet released, thus they did not require an announcement any more than other
updates to 'testing'.

 - mdz

Reply to: