Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)

To: Herwig Wittmann <herwig-amazon@atnet.at>
Cc: debian-security@lists.debian.org
Subject: Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
From: Steve Kemp <skx@debian.org>
Date: Thu, 14 Jul 2005 17:04:58 +0100
Message-id: <[🔎] 20050714160458.GA15084@steve.org.uk>
Reply-to: Steve Kemp <skx@debian.org>
In-reply-to: <[🔎] Pine.LNX.4.56.0507141713050.23334@face.atnet.at>
References: <m1Dsksq-000ojEC@finlandia.Infodrom.North.DE> <[🔎] Pine.LNX.4.56.0507141713050.23334@face.atnet.at>

On Thu, Jul 14, 2005 at 05:40:22PM +0200, Herwig Wittmann wrote:

> This would be very convenient- but the delay that seems to have passed
> between the original squirrelmail security announcement and the time I
> received the alert via security@debian.org is worrying:
> 
> The Vulnerability seems to have been described a few weeks ago:
> http://www.squirrelmail.org/security/issue/2005-06-15
> 
> The Debian Security Advisory 756-1 is dated July 13th, 2005.

  This has been discussed already in the archives, you should probably
 refer to those rather than reviving the subject.

  eg the following three threads:

	http://lists.debian.org/debian-security/2005/06/msg00055.html

	http://lists.debian.org/debian-security/2005/06/msg00097.html

	http://lists.debian.org/debian-security/2005/06/msg00142.html

> I do not want to rude in any way- please try to excuse my way of putting
> things, but does anybody have a prediction how probable it is for such a
> thing to happen again?

  It's unknown whether the build infrastructure problems will recur,
 machines do die so it's possible.  The communication problems leading
 to various misunderstandings I hope will be less likely to reoccur.

> Is there a role/function in debian that is responsible for reviewing
> bugtraq or similiar sources, and is ensured that this role is fulfilled
> every day?

  The security team do follow bugtraq, etc.  Filing bugs with patches
 is a useful thing to do - but forwarding a message that has been posted
 publically already is perhaps less useful.  It's not like there's not
 enough spam mail sent to security@d.o already ;)

> Or will there be other measures in place to see that security issues are
> noticed quickly for all packages- even for strange tools that
> are not used by normal unix-centered developers?

  I'm unsure exactly what you are suggesting about less popular tools.
 Sure if five issues need fixing simultaneously the "less used" is
 liable to suffer if there's a more important bug.

  Still even less popular tools are supported, all packages should
 receive updates eventually.

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit

Reply to:

References:
- Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
  - From: Herwig Wittmann <herwig-amazon@atnet.at>

Prev by Date: Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
Next by Date: Re: Re: New squid packages 2.4.6-2woody9 restarts very often.
Previous by thread: Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
Next by thread: Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
Index(es):
- Date
- Thread