On Mon, 28 Jul 2008 10:15:02 pm Frédéric PICA wrote: > I didn't see proftpd in the security part of the 4.0r4 news. > The major version is still 4.0 and for me, a security update for this > version must still go into the security channel. It's logical to do > these sort of changes between two major versions, but not two minor. > I'm following stable, not 4.0r3 or r4. > > Is there another explanation ? Yes, not every security issue is severe enought to warrant a DSA. Some issues are considered as minor (for instance a lot of DoS attacks) and can be fixed via a stable update. The security tracker normally indicates such issues with a <no-dsa> tag (see the * behind the issues). There is a list of issues that could be fixed via stable-proposed-update (a stable update upload area) in svn called /data/spu-candidates.txt . Cheers Steffen : http://security-tracker.debian.net/tracker/status/release/stable
Description: This is a digitally signed message part.