Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution

["Thijs Kinkhorst" <thijs@debian.org>]

On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote:
>> For the oldstable distribution (etch), this problem will be fixed soon.
>>
>
> 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which
> appears to fix this problem, but no subsequent advisory has been released.
>  Is this an oversight?

I'm not sure - the advisory tells us that the updated packages will be
released soon, and that's exactly what happened. Point is that we don't
have fixed rules for which events lead to a "-2" DSA mail and which don't.
Some cases are clear: when we update packages for a regression. In others
its always a tradeoff: would a "-2" add more information for our users? We
could send such an update mail strictly for each and every change, but
this would also add a lot of noise.


cheers,
Thijs