Bug#211356: ssh: package in woody-proposed-updates overwrites security fixed package from security.debian.org!

[Marc Schiffbauer <marc@links2linux.de>]

Package: ssh
Version: 1:3.4p1-1.1
Severity: critical
Justification: root security hole

I have the following deb lines in my sources.list

deb http://security.debian.org/ stable/updates main contrib non-free
deb http://ftp.de.debian.org/debian woody-proposed-updates main non-free contrib
deb http://ftp.de.debian.org/debian-non-US woody-proposed-updates/non-US main non-free contrib

mschiff@pluto:~$ apt-cache policy ssh
ssh:
  Installed: 1:3.4p1-1.1
  Candidate: 1:3.4p1-1.woody.1
  Version Table:
     1:3.4p1-1.woody.1 0
        500 http://ftp.de.debian.org woody-proposed-updates/main
Packages
 *** 1:3.4p1-1.1 0
        500 http://security.debian.org stable/updates/main Packages
        100 /var/lib/dpkg/status
     1:3.4p1-1 0
        500 http://ftp.debian.org woody/main Packages
mschiff@pluto:~$


So if one always installs packages from woody-proposed-updates he will
never get the security fixed update by NMU because 
  1:3.4p1-1.woody.1 > 1:3.4p1-1.1


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pluto 2.4.21-grsec #1 Tue Jul 1 11:37:16 CEST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages ssh depends on:
ii  adduser                3.47              Add and remove users and groups
ii  debconf                1.2.35            Debian configuration management sy
ii  libc6                  2.2.5-11.5        GNU C Library: Shared libraries an
ii  libpam-modules         0.72-35           Pluggable Authentication Modules f
ii  libpam0g               0.72-35           Pluggable Authentication Modules l
ii  libssl0.9.6            0.9.6g-0.woody.1  SSL shared libraries
ii  libwrap0               7.6-9             Wietse Venema's TCP wrappers libra
ii  zlib1g                 1:1.1.4-1.0woody0 compression library - runtime