[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities


On Fri Dec 28, 2007 at 19:19:50 -0500, Jim Popovitch wrote:
> On Fri, 2007-12-28 at 22:36 +0100, Martin Zobel-Helas wrote:
> > On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote:
> > > However, I cannot see any security announcement for most of these.  Were they 
> > > updated because of the security fix for tar?  If yes, why doesn’t the 
> > > security announcement mention that updated versions are available also for 
> > > those packages?
> > 
> > see http://lists.debian.org/debian-announce/debian-announce-2007/msg00004.html
> Martin,
> First, I (and many others) appreciate your and everyone else's work on
> Debian.   That said, I too am confused by the latest Debian 4.0 release.
> It seems to me that, in the past, all Debian patches were released with
> DSAs (why patch w/o a DSA?), and that further updates to the core
> release (Potato, Sid, Sarge, Etch, etc) were only a roll-up of
> previously issued DSAs.   I don't recall new functionality ever being
> added in a core release update bundle (although I could be wrong).  

You are (mostly) wrong here. Most of the packages mentioned under
"Miscellaneous Bugfixes" in the Release Announcement are just bug fixes,
several of them also have CVE numbers, of which the security team thinks
which are not so important to fix. Others just add missing dependencies
without those the package would not be able to run. Also other packages
just get RC bugs fixed. 

The only package which got REAL updates this time was the Debian Linux
Kernel, to support eg. SGI o2 machines. Also some (sub-)architectures
were missing some important kernel modules the other
(sub-)archtitectures had, so we considered that as worth for updating
the kernel.

> Consider that some people, such as myself, only update servers based on
> review of public DSA statements.  Yet now we find ourselves with
> multiple days of updates to multiple pkgs, but no corresponding DSA
> announcements to cross reference for validity (which can easily make one
> suspect a mirror has been hacked).  

Thus we try to send out the announcement to that 'point release' very
short after packages have been pushed out to the mirrors (read as in:
within one day). We cannot send it directly after the dinstall process,
as only the tier-1 mirrors then would have those packages, but not
tier-2 and tier-3 mirrors. Also consider some mirrors only update by
cron twice a day.

> Since I'm not the only one confused by the recent updates, can we get
> some clarification on this process please.  Specifically, is it
> currently Debian policy to release non-critical pkg updates, i.e.
> releases without DSAs, in periodic core release rollups? (is this new or
> has it been so in the past?)  Could Debian be better served by calling
> the rollup (including new non-critical updates) a new release (i.e 4.1)?

These releases are called 'point releases' and are prepared publicly.
Preperation mails to these point releases are periodicly sent to
debian-releases@lists.debian.org[1]. Also prior releases had
'Miscellaneous Bugfixes', see eg. [2]. The list of 'Miscellaneous
Bugfixes' just got a bit bigger, as the last point releases was for
various reasons not 2 but 6 month ago. 

Also my predecessor, Joey Schulze, was much more strict regarding
'Miscellaneous Bugfixes', and several Debian Developers expressed the
wish that his rules should be eased a bit. We are still very strict
regarding these bugfixes but not as strict as he was.

I hereby will also say that these bugfixes (and point releases) will
happen in future as well, so be prepared to it. You really should read
debian-announce@lists.debian.org, as all these updates will be announced
to that mailing list.

Hope that eMail helps a bit to clarify.


[1] http://lists.debian.org/debian-release/2007/12/msg00203.html or

[2] http://lists.debian.org/debian-announce/debian-announce-2007/msg00003.html or
[root@debian /root]# man real-life
No manual entry for real-life

Reply to: