Axel Beckert said at 18/03/2008 14:56:
On Tue, Mar 18, 2008 at 10:00:18AM +0000, Ronny Adsetts wrote:For the unstable distribution (sid), this problem has been fixed in version 2.31.1.Ehm, that's strange somehow since unstable, testing and even etch-backports already have ikwiki 2.40: http://packages.debian.org/ikiwikiSee here for the fix which was in v 2.31.1:That's not the question. The question is, why the security team releases 2.31.1 as security update while 2.40 is the current version and not only since a few days. If the fix is already in 2.40, 2.40 shouldn't need a security update and if 2.40 is vulnerable, 2.31.1 will never be installed as security update. So why the lower version as security update? It just doesn't seem to make sense.
My understanding is that the security team don't generally provide updates for unstable. The DSA simply notes the unstable version in which the security hole was fixed. I assume in this case the DSA was prepared before the newer version was uploaded to unstable. Can someone from the security team correct me if I'm wrong. Ronny -- Ronny Adsetts Technical Director Amazing Internet Ltd, London t: +44 20 8607 9535 f: +44 20 8607 9536 w: www.amazinginternet.com Registered office: UK House, 82 Heath Road, Twickenham TW1 4BWRegistered in England. Company No. 4042957
Description: OpenPGP digital signature