Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution
On Mon, Jun 15, 2009 at 06:10:29PM +0200, Nico Golde wrote:
> * Thijs Kinkhorst <firstname.lastname@example.org> [2009-06-15 17:39]:
> > On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote:
> > >> For the oldstable distribution (etch), this problem will be fixed soon.
> > >>
> > >
> > > 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which
> > > appears to fix this problem, but no subsequent advisory has been released.
> > > Is this an oversight?
> > I'm not sure - the advisory tells us that the updated packages will be
> > released soon, and that's exactly what happened. Point is that we don't
> > have fixed rules for which events lead to a "-2" DSA mail and which don't.
> Yes, exactly the reason why I didn't release another
I'm not convinced by that reasoning; the lack of follow-up advisory that
people relying on the advisories for notification of package updates had
no way to tell that the packages were available, and would have had to
check on the offchance every so often; also that the package lists
and MD5sums weren't available for those files.
Anyway, I can see that there are arguments for both ways so I won't
push it :)
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)