[DSA 1629-1] Etch postfix packages older than base (was Re: New postfix packages fix privilege escalation)

[Ewen McNeill <ewen@naos.co.nz>]

In message <20080818205129.0472332762F@morgana.loeki.tv>, Thijs Kinkhorst writes:
>Package        : postfix
>Vulnerability  : programming error
>[...]
>For the stable distribution (etch), this problem has been fixed in
>version 2.3.8-2etch1.

It appears that this security patched package actually has an older
version number than the one in Debian Etch base.

The postfix package in Debian Etch is 2.3.8-2+b1:

http://packages.debian.org/search?keywords=postfix&searchon=names&exact=1&suite=stable&section=all

Which is greater than 2.3.8-2etch1 as far as dpkg is concerned:

ewen@ra:~$ if dpkg --compare-versions 2.3.8-2etch1 ge 2.3.8-2+b1; then echo "Would upgrade"; else echo "Won't upgrade"; fi
Won't upgrade
ewen@ra:~$ 

Which means that the packages can't be pulled in with aptitude/apt-get,
and if they are manually installed another upgrade/dist-upgrade will
"revent" them to the version in base.

Would it be possible to rerelease this fix for Debian Etch with a
higher package version number?  Either 2.3.8-3etch1 or 2.3.8-2+b1etch1
or similar would seem to do.

Thanks,

Ewen