Bug#211356: marked as done (ssh: package in woody-proposed-updates overwrites security fixed package from security.debian.org!)
Your message dated Wed, 17 Sep 2003 12:38:00 +0100
with message-id <20030917113800.GA11545@riva.ucam.org>
and subject line Bug#211356: ssh: package in woody-proposed-updates overwrites security fixed package from security.debian.org!
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Sep 2003 09:26:45 +0000
>From marc@schiffbauer.net Wed Sep 17 04:26:39 2003
Return-path: <marc@schiffbauer.net>
Received: from p15108950.pureserver.info (pluto.schiffbauer.net) [217.160.128.7]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 19zYa7-0003Ve-00; Wed, 17 Sep 2003 04:26:39 -0500
Received: from amavis by pluto.schiffbauer.net with scanned-ok (Exim 3.35 #1 (Debian))
id 19zYa6-0000xs-00
for <submit@bugs.debian.org>; Wed, 17 Sep 2003 11:26:38 +0200
Received: from unknown by localhost (amavisd-new, unix socket)
id client-XXLpXMxg for <submit@bugs.debian.org>;
Wed, 17 Sep 2003 11:26:37 +0200 (CEST)
Received: from mschiff by pluto.schiffbauer.net with local (Exim 3.35 #1 (Debian))
id 19zYa5-0004rE-00; Wed, 17 Sep 2003 11:26:37 +0200
From: Marc Schiffbauer <marc@links2linux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: package in woody-proposed-updates overwrites security fixed package from security.debian.org!
X-Mailer: reportbug 1.50
Date: Wed, 17 Sep 2003 11:26:37 +0200
Message-Id: <[🔎] E19zYa5-0004rE-00@pluto.schiffbauer.net>
Sender: Marc Schiffbauer <marc@schiffbauer.net>
X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at schiffbauer.net
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0
tests=HAS_PACKAGE
version=2.53-bugs.debian.org_2003_9_16
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_16 (1.174.2.15-2003-03-30-exp)
Package: ssh
Version: 1:3.4p1-1.1
Severity: critical
Justification: root security hole
I have the following deb lines in my sources.list
deb http://security.debian.org/ stable/updates main contrib non-free
deb http://ftp.de.debian.org/debian woody-proposed-updates main non-free contrib
deb http://ftp.de.debian.org/debian-non-US woody-proposed-updates/non-US main non-free contrib
mschiff@pluto:~$ apt-cache policy ssh
ssh:
Installed: 1:3.4p1-1.1
Candidate: 1:3.4p1-1.woody.1
Version Table:
1:3.4p1-1.woody.1 0
500 http://ftp.de.debian.org woody-proposed-updates/main
Packages
*** 1:3.4p1-1.1 0
500 http://security.debian.org stable/updates/main Packages
100 /var/lib/dpkg/status
1:3.4p1-1 0
500 http://ftp.debian.org woody/main Packages
mschiff@pluto:~$
So if one always installs packages from woody-proposed-updates he will
never get the security fixed update by NMU because
1:3.4p1-1.woody.1 > 1:3.4p1-1.1
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pluto 2.4.21-grsec #1 Tue Jul 1 11:37:16 CEST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages ssh depends on:
ii adduser 3.47 Add and remove users and groups
ii debconf 1.2.35 Debian configuration management sy
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libpam-modules 0.72-35 Pluggable Authentication Modules f
ii libpam0g 0.72-35 Pluggable Authentication Modules l
ii libssl0.9.6 0.9.6g-0.woody.1 SSL shared libraries
ii libwrap0 7.6-9 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.1.4-1.0woody0 compression library - runtime
---------------------------------------
Received: (at 211356-done) by bugs.debian.org; 17 Sep 2003 11:38:15 +0000
>From cjwatson@flatline.org.uk Wed Sep 17 06:38:06 2003
Return-path: <cjwatson@flatline.org.uk>
Received: from protactinium.btinternet.com [194.73.73.176]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 19zadH-0005er-00; Wed, 17 Sep 2003 06:38:03 -0500
Received: from host81-129-36-235.in-addr.btopenworld.com ([81.129.36.235] helo=riva.lab.dotat.at)
by protactinium.btinternet.com with esmtp (Exim 3.22 #23)
id 19zadE-00057L-00
for 211356-done@bugs.debian.org; Wed, 17 Sep 2003 12:38:01 +0100
Received: from cjwatson by riva.lab.dotat.at with local (Exim 3.35 #1 (Debian))
for 211356-done@bugs.debian.org
id 19zadE-00030Y-00; Wed, 17 Sep 2003 12:38:00 +0100
Date: Wed, 17 Sep 2003 12:38:00 +0100
From: Colin Watson <cjwatson@debian.org>
To: 211356-done@bugs.debian.org
Subject: Re: Bug#211356: ssh: package in woody-proposed-updates overwrites security fixed package from security.debian.org!
Message-ID: <20030917113800.GA11545@riva.ucam.org>
References: <[🔎] E19zYa5-0004rE-00@pluto.schiffbauer.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] E19zYa5-0004rE-00@pluto.schiffbauer.net>
User-Agent: Mutt/1.3.28i
Delivered-To: 211356-done@bugs.debian.org
X-Spam-Status: No, hits=-5.7 required=4.0
tests=EMAIL_ATTRIBUTION,QUOTED_EMAIL_TEXT
version=2.53-bugs.debian.org_2003_9_16
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_16 (1.174.2.15-2003-03-30-exp)
On Wed, Sep 17, 2003 at 11:26:37AM +0200, Marc Schiffbauer wrote:
> So if one always installs packages from woody-proposed-updates he will
> never get the security fixed update by NMU because
> 1:3.4p1-1.woody.1 > 1:3.4p1-1.1
This has been fixed. The security update just released is
1:3.4p1-1.woody.2, and incorporates the change in 1:3.4p1-1.woody.1.
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: