[DSA 1629-1] Etch postfix packages older than base (was Re: New postfix packages fix privilege escalation)
In message <20080818205129.0472332762F@morgana.loeki.tv>, Thijs Kinkhorst writes:
>Package : postfix
>Vulnerability : programming error
>For the stable distribution (etch), this problem has been fixed in
It appears that this security patched package actually has an older
version number than the one in Debian Etch base.
The postfix package in Debian Etch is 2.3.8-2+b1:
Which is greater than 2.3.8-2etch1 as far as dpkg is concerned:
ewen@ra:~$ if dpkg --compare-versions 2.3.8-2etch1 ge 2.3.8-2+b1; then echo "Would upgrade"; else echo "Won't upgrade"; fi
Which means that the packages can't be pulled in with aptitude/apt-get,
and if they are manually installed another upgrade/dist-upgrade will
"revent" them to the version in base.
Would it be possible to rerelease this fix for Debian Etch with a
higher package version number? Either 2.3.8-3etch1 or 2.3.8-2+b1etch1
or similar would seem to do.