[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 431-1] New perl packages fix information leak in suidperl

Matt Zimmerman <mdz@debian.org> wrote:

> On Sun, Feb 01, 2004 at 12:18:07PM +0100, Arthur de Jong wrote:

>> I don't mean to be paranoid but this advisory is dated February 1st,
>> 2004 but the new changelog entries are both dated 11 Sep 2003 and
>> the deb file for i386 I got has a timestamp of Sep 12. Furthermore
>> judging from timestamps on [1] other architectures seem to have
>> similar build dates.
>> 
>> Did it really take that long to coordinate this DSA or do all build
>> daemons have a problem with their clocks? Not that it really matters
>> for this DSA as it is a minor problem that should not affect that
>> many people, just being curious.
> 
> Yes, the packages were built a long time ago.  I was waiting for some
> additional problems to be fixed, but the advisory had to be released
> in order to fix a problem with the postgresql update (which had
> picked up a dependency on this unreleased version).

Does this mean that it is possible that known and fixed (!) security
problems are not being corrected in Debian for nearly 5 months? Even
though this may be a minor problem, I would like to see it fixed as
soon as possible.

Paul
Reply to: