[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[DSA 1629-1] Etch postfix packages older than base (was Re: New postfix packages fix privilege escalation)

In message <20080818205129.0472332762F@morgana.loeki.tv>, Thijs Kinkhorst writes:
>Package        : postfix
>Vulnerability  : programming error
>For the stable distribution (etch), this problem has been fixed in
>version 2.3.8-2etch1.

It appears that this security patched package actually has an older
version number than the one in Debian Etch base.

The postfix package in Debian Etch is 2.3.8-2+b1:


Which is greater than 2.3.8-2etch1 as far as dpkg is concerned:

ewen@ra:~$ if dpkg --compare-versions 2.3.8-2etch1 ge 2.3.8-2+b1; then echo "Would upgrade"; else echo "Won't upgrade"; fi
Won't upgrade

Which means that the packages can't be pulled in with aptitude/apt-get,
and if they are manually installed another upgrade/dist-upgrade will
"revent" them to the version in base.

Would it be possible to rerelease this fix for Debian Etch with a
higher package version number?  Either 2.3.8-3etch1 or 2.3.8-2+b1etch1
or similar would seem to do.



Reply to: