Bug#211356: ssh: package in woody-proposed-updates overwrites security fixed package from security.debian.org!
Package: ssh
Version: 1:3.4p1-1.1
Severity: critical
Justification: root security hole
I have the following deb lines in my sources.list
deb http://security.debian.org/ stable/updates main contrib non-free
deb http://ftp.de.debian.org/debian woody-proposed-updates main non-free contrib
deb http://ftp.de.debian.org/debian-non-US woody-proposed-updates/non-US main non-free contrib
mschiff@pluto:~$ apt-cache policy ssh
ssh:
Installed: 1:3.4p1-1.1
Candidate: 1:3.4p1-1.woody.1
Version Table:
1:3.4p1-1.woody.1 0
500 http://ftp.de.debian.org woody-proposed-updates/main
Packages
*** 1:3.4p1-1.1 0
500 http://security.debian.org stable/updates/main Packages
100 /var/lib/dpkg/status
1:3.4p1-1 0
500 http://ftp.debian.org woody/main Packages
mschiff@pluto:~$
So if one always installs packages from woody-proposed-updates he will
never get the security fixed update by NMU because
1:3.4p1-1.woody.1 > 1:3.4p1-1.1
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pluto 2.4.21-grsec #1 Tue Jul 1 11:37:16 CEST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages ssh depends on:
ii adduser 3.47 Add and remove users and groups
ii debconf 1.2.35 Debian configuration management sy
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libpam-modules 0.72-35 Pluggable Authentication Modules f
ii libpam0g 0.72-35 Pluggable Authentication Modules l
ii libssl0.9.6 0.9.6g-0.woody.1 SSL shared libraries
ii libwrap0 7.6-9 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.1.4-1.0woody0 compression library - runtime
Reply to: