Re: Security problem

[King Lee <king@ultrix6.cs.csubak.edu>]

Sorry to keep this thread going, but perhaps one more clarification.

The original post said that the bug occured on RedHat 5.1 of our 
system administrator.  I immediately emailed Red Hat 
(haven't heard from them yet), and also posted to Debian.
I got a reply from Debian within 12 hours and looked for 
the new package number in package-updates. 
I didn't find it  so I looked in current distribution and found 
it with correct version number.

On Sat, 24 Oct 1998, Lukas Eppler wrote:

> On Fri, 23 Oct 1998, King Lee wrote:
> 
> > The  bug is real, and Debian has a fix.  See security 
> > lists in Debian. If you  are running Debian 2.0
> > you might have a security hole. There was also security
> > problems with bind.  The fixes appear in the current distributions
> > (2.0.2 I think) not in package-updates.
> 
> Why the bloody hell not?

I think that it was moved from package-updates to the main distribution
so that  if you downloaded it or purchased a new cdrom, it would 
have the updates in it.  Seems reasonable.

> 
> Sorry, this makes me angry. Debian does a whole lot on finding these
> holes, then spreading the information they are there, but then every one
> has to read at least debian-user or visit the security page on the web to
> find out. We have such a great distribution system and make no use of it.

System administration with responsibility for security 
(and  other things)  is inhierently complex.  All you can 
ask for is someone to point the way, and it's up to you track it
down.

King Lee