Odp: Re: Debian 2.2 and security - SecurityPortal article
> > Just read it and tell me what you think about it.
>
> I think it has some valid points. He brings up issues that make sense
and
> should of been taken care of a long time ago (eg: commenting out archaic
> services in inetd.conf, default homedir perms, etc). Maybe Debian
> maintainers should go over 2.2 with a fine-tooth comb and release a
2.2.1
> security/system update?
But this guy talks about security holes just by checking package version
numbers! He dosn't look what has been done with package (debian specific
changes including backported fixes for security holes). I often wrote
maintainers that Debian should implement right package versions. For
example: package in Debian has number 1.4-1. Security hole is discovered
and it's fixed in normal 1.5 version. But when this package (1.4-1) is in
"frozen state" there is no posibility to generate package 1.5-1 and put it
into frozen. So maintainer backports security fix and makes package 1.4-2
which has no security hole. But for guy like this writer (and for many
normal users) this package has security hole. Not so many look at the
changelogs or try exploits - they just look at package version (it's 1.4)
and look at the advisory, in which they read that hole has been fixed in
version 1.5 so they think that Debian is insecure. And I think this is big
problem for most people.
_________________
Leszek Gerwatowski
BigL@tpi.pl
Reply to: