[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Misunderstanding about normal (stable) and security channels

Frédéric PICA wrote:
Ok, so the problem remains the same for me.
It's possible that a package get updated for a security reason while
being in the stable channel. This is contradictory with the security
Is there another way (for a program) to get the type of a package ? A
special way to access the security tracker (RPC, ...) ??
May be debsecan is suitable for you?

Description: Debian Security Analyzer
debsecan is a tool to generate a list of vulnerabilities which affect a
particular Debian installation.  debsecan runs on the host which is to be
checked, and downloads vulnerability information over the Internet.  It can
send mail to interested parties when new vulnerabilities are discovered or when
security updates become available.

Regards, Riku
Frédéric PICA

2008/7/28 Steffen Joeris <steffen.joeris@skolelinux.de>:
Hi Frederic

On Mon, 28 Jul 2008 11:54:55 pm you wrote:
Ok, so this one :
 proftpd-dfsg  (1.3.0-19etch1) stable; urgency=low

   * [SECURITY] Added patch auth_cache.dpatch. It fixes CVE-2007-2165.

 -- Francesco Paolo Lovergine <frankie@debian.org>  Tue, 15 Jan 2008
11:50:31 +0100

should have been in the security channel, and not in stable.
So this is an "error" of the package maintainer and should be an
isolate case, right ?
Nope, this was a minor issue according to the tracker and thus it got fixed in
a point release. CVE ids are not only for major issues, but for all sorts of
security issues.


Reply to: