Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution
On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote:
>> For the oldstable distribution (etch), this problem will be fixed soon.
>>
>
> 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which
> appears to fix this problem, but no subsequent advisory has been released.
> Is this an oversight?
I'm not sure - the advisory tells us that the updated packages will be
released soon, and that's exactly what happened. Point is that we don't
have fixed rules for which events lead to a "-2" DSA mail and which don't.
Some cases are clear: when we update packages for a regression. In others
its always a tradeoff: would a "-2" add more information for our users? We
could send such an update mail strictly for each and every change, but
this would also add a lot of noise.
cheers,
Thijs
Reply to: