What's up with the git-core package?
Hi,
on a lenny system with the package git-core installed from the security
repository, debsecan marks CVE-2010-2542 as not fixed. In the last weeks,
I saw different versions popping up. At least, on claims to fix
CVE-2010-2542. Here are the changelog entries:
git-core (1:1.5.6.5-3+lenny3.2) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix permission problem on i386, a regression introduced by
1:1.5.6.5-3+lenny3.1. Closes: #595728
-- Stefan Fritsch <sf@debian.org> Fri, 24 Sep 2010 20:56:12 +0200
git-core (1:1.5.6.5-3+lenny3.1+b1~volatile1) lenny-volatile; urgency=low
* Non-maintainer upload.
* Rebuild for lenny-volatile (i386 only), to get proper permissions
on the git repository template directory.
-- Philipp Kern <pkern@debian.org> Tue, 14 Sep 2010 22:29:28 +0200
git-core (1:1.5.6.5-3+lenny3.1) stable; urgency=high
* Non-maintainer upload.
* debian/diff/0009-CVE-2010-2542.diff:
new; fix stack-based buffer overflow in handling gitdir
paths (Closes: #590026).
-- Nico Golde <nion@debian.org> Tue, 27 Jul 2010 15:44:10 +0000
Does someone know why Philipp Kern made the upload to volatile fixing
only i386? Has he told the security team about his intent?
Why the list in the secure-testing repository has an entry for
1:1.5.6.5-3+lenny4? Where is this version?
http://svn.debian.org/wsvn/secure-testing/data/DSA/list
[26 Sep 2010] DSA-2114-1 git-core
{CVE-2010-2542}
[lenny] - git-core 1:1.5.6.5-3+lenny4
Regards, Jörg
--
Fuchs' Paradoxon (http://www.bruhaha.de/laws.html):
Wer eine allgemeine Frage beliebigen Themas nach de.alt.arnooo postet und
eine ernsthafte Antwort erwartet, ist dort eigentlich ziemlich ontopic.
Reply to: