[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities

On Mon, 11 Oct 2010 14:14:41 +0100, Ian Jackson wrote:
> Florian Weimer writes ("[SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities"):
> > DSA-2115-1 introduced a regression because it lacked a dependency on
> > the wwwconfig-common package, leading to installations problems.  This
> > update addresses this issue.  For reference, the text of the original
> > advisory is provided below.
> This is the second recent regression in a security update.  I'm sure
> you'll all agree that this is bad.  It's a shame, because Debian
> security updates have historically had a very good reputation.
> Is there anything that I could do to help with improving things to
> avoid this happening again ?  
> A traditional approach might be to hold a postmortem to try to find
> the chain of events, identify root causes, and make recommendations
> (whether to the Security Team or to others in the project).  Has
> anything like that been done in this case ?

The problem here appears to be the jump to the new upstream version
(1.8.2 to 1.8.13), which has a different dependency set.  New
upstreams are usually disallowed in security uploads.  The question
is why was that OK in this case, rather than the standard backporting

Best wishes,

Reply to: