[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Misunderstanding about normal (stable) and security channels

Ok, so the problem remains the same for me.
It's possible that a package get updated for a security reason while
being in the stable channel. This is contradictory with the security
Is there another way (for a program) to get the type of a package ? A
special way to access the security tracker (RPC, ...) ??

Frédéric PICA

2008/7/28 Steffen Joeris <steffen.joeris@skolelinux.de>:
> Hi Frederic
> On Mon, 28 Jul 2008 11:54:55 pm you wrote:
>> Ok, so this one :
>> -----------------------------------
>>  proftpd-dfsg  (1.3.0-19etch1) stable; urgency=low
>>    * [SECURITY] Added patch auth_cache.dpatch. It fixes CVE-2007-2165.
>>  -- Francesco Paolo Lovergine <frankie@debian.org>  Tue, 15 Jan 2008
>> 11:50:31 +0100
>> -----------------------------------
>> should have been in the security channel, and not in stable.
>> So this is an "error" of the package maintainer and should be an
>> isolate case, right ?
> Nope, this was a minor issue according to the tracker and thus it got fixed in
> a point release. CVE ids are not only for major issues, but for all sorts of
> security issues.
> Cheers
> Steffen

Reply to: