[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What's up with the git-core package?



In <slrniabget.2pl.joerg@alea.gnuu.de>, Jörg Sommer wrote:
>on a lenny system with the package git-core installed from the security
>repository, debsecan marks CVE-2010-2542 as not fixed. In the last weeks,
>I saw different versions popping up. At least, on claims to fix
>CVE-2010-2542.

A new Debian package of git-core was prepared for stable and included in the 
5.0.6 update to Lenny.  This version addressed the permissions issue, but it 
hadn't spent any (much?) time in stable-proposed-updates or the security 
repository.

Unfortunately, the i386 package was built in an odd environment, so git-core 
in current Lenny (5.0.6) on i386 is broken (can't clone or init due to overly 
restrictive permissions).

Stable is *only* updated at point releases, so git-core in Lenny (on i386) 
will be broken until 5.0.7 is released.  As users of the package know, this is 
a fairly major regression over a relatively minor security issue.

Because of the severity of the issue, new versions of git-core were/are going 
to be made through (at least) the security and volatile repositories and 
possibly stable-proposed-updates and backports as well.

Bug #595728 documents most of this, and it may have been updated since last 
time I researched the issue.
-- 
Boyd Stephen Smith Jr.                   ,= ,-_-. =.
bss@iguanasuicide.net                   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy         `-'(. .)`-'
http://iguanasuicide.net/                    \_/

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: