Re: [SECURITY] [DSA 3386-2] unzip regression update
Hi Dave,
On Tue, Nov 10, 2015 at 09:54:19PM +0000, David McDonald wrote:
> Thank you Salvatore & Thijs for your responses.
>
> I appreciate and understand your advice.
>
> My specific interest in the matter arose after receiving the alert.
> I prepared to install the update that was listed in the e-mail and
> found that the latest I could obtain (using apt-get) was the earlier
> version. I investigated further to ensure the system was
> appropriately up-to-date. Fortunately the web site confirmed that
> the version I had obtained with apt-get addressed the particular
> issue identified in the alert.
>
> It did, however leave me with some niggling doubts - as the
> difference might be interpreted as an indication of error or
> omission. (Your e-mail has, of course, dispelled such doubts).
>
> So, though perhaps this has been considered previously, in the
> interests of improving Debian may I suggest that it might be better
> to delay the e-mail until the web page is updated (or, better yet,
> "push" the update of the web page)?
Updating in timely matter will probably not work with the current
infrastructure unless the specific website can be updated on demand
(instead of the regular interval triggered). But it is inportant to us
that delivered updates and debian-security-announce mail are closely
followed.
As you said above that you actually didn't recieved the update
immediately via apt-get upgrade after the mail announce: I have sent
out the advisory just after the package got installed into the
archive, but I have heard from the Debian system administrators, that
two security-mirrors were not updates and were only fixed later. So
maybe you got hit by this issue.
If you check it now, you have unzip 6.0-16+deb8u2 available via apt,
right?
Regards,
Salvatore
Reply to: