[DSA 1629-1] Etch postfix packages older than base (was Re: New postfix packages fix privilege escalation)
In message <20080818205129.0472332762F@morgana.loeki.tv>, Thijs Kinkhorst writes:
>Package : postfix
>Vulnerability : programming error
>[...]
>For the stable distribution (etch), this problem has been fixed in
>version 2.3.8-2etch1.
It appears that this security patched package actually has an older
version number than the one in Debian Etch base.
The postfix package in Debian Etch is 2.3.8-2+b1:
http://packages.debian.org/search?keywords=postfix&searchon=names&exact=1&suite=stable§ion=all
Which is greater than 2.3.8-2etch1 as far as dpkg is concerned:
ewen@ra:~$ if dpkg --compare-versions 2.3.8-2etch1 ge 2.3.8-2+b1; then echo "Would upgrade"; else echo "Won't upgrade"; fi
Won't upgrade
ewen@ra:~$
Which means that the packages can't be pulled in with aptitude/apt-get,
and if they are manually installed another upgrade/dist-upgrade will
"revent" them to the version in base.
Would it be possible to rerelease this fix for Debian Etch with a
higher package version number? Either 2.3.8-3etch1 or 2.3.8-2+b1etch1
or similar would seem to do.
Thanks,
Ewen
Reply to: