[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 195-1] New Apache-Perl packages fix several vulnerabilities



On Thu, Nov 14, 2002 at 07:45:34AM +0700, Jean Christophe ANDRÉ imagined:

> Raymond Wood écrivait :

> > Jean Christophe ANDRÉ remarked:

> > > Raymond Wood écrivait :
> > > > Respectfully, does anyone know when Sid will receive
> > > > patches for the previous Apache vulnerabilities that
> > > > were fixed for Potato and Woody, but not Sid? It's been
> > > > days... Raymond

> > > Because Sid's aim is to allow you to test bugs... and enjoy
> > > viruses! <g> ;-)

> > That was not my question - read again if you must.

> I read it again, my answer was right for your pure question! :)

> [...]
> > The relevant DSA in question itself stated something to the
> > effect 'a fix for Sid will appear soon'.  At this point I am
> > wondering how soon or how late:  I mean are we talking about
> > days or weeks at this point?

> Ok, I was wrong because of ignoring this, my apology.
> 
> Cheers, J.C.

My apology also -- I had no intention of trying to upset anyone.
I'm just trying to get an approximate answer to a general
question.  So no worries.

The question is obviously an unpopular one :)  It seems many
Debian people are fond of claiming that Debian's software
versions aren't so far behind the other commercial distributions
because "you can always use Sid if you need the latest
versions".  This has worked quite well for me, and others I
know, and know of, who want to run something a little more
current on our desktops.

From a security perspective, this has also worked rather well in
cases when security vulnerabilities have been addressed by the
DSA's that are issued.  Even though Sid is officially not
supported by the security team, still 99 times out of a hundred,
a patch or new version will appear in Sid quite promptly (I
don't know if these are usually done by the security team or
not).  So there is usually very little risk for those running
Sid on their desktops, if they are careful, in my experience.

This latest episode that I'm asking about now seems different
though.  Patches were issued for *multiple* Apache problems in
Potato and Woody, and ... nothing happens in Sid.

Well, this is a 'first' for me.  Perhaps I am finally just
getting to know Sid a little better than I did before  ;)
Perhaps the security vulnerabilities are somehow not as serious
as in other cases (i.e. hard/impossible to exploit).  I just
don't know.

Anyway, since asking this question seems to cause grief for both
myself and others on this list, this be the the last time I am
going to mention it.  I'll take it as a lesson learned if I have
to.

I will, however, continue to find it strange that there is
seemingly so little desire (on this list anyway) to address
Sid's current status with respect to this particular Apache
vulnerability -- quite apart from the policy of which we're all
aware, that Sid is not ever guaranteed security patches.  It
seems like a reasonable concern to me, for a security list.

My $0.02,
Raymond
-- 
"You deserve to be able to cooperate openly and freely with other
people who use software.  You deserve free software."
 -Richard M. Stallman, Free Software Foundation, http://www.fsf.org

Attachment: pgpsufxc5EHYc.pgp
Description: PGP signature


Reply to: