[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Odp: Re: Debian 2.2 and security - SecurityPortal article



> > Just read it and tell me what you think about it.
> 
> I think it has some valid points.  He brings up issues that make sense 
and
> should of been taken care of a long time ago (eg: commenting out archaic
> services in inetd.conf, default homedir perms, etc).  Maybe Debian
> maintainers should go over 2.2 with a fine-tooth comb and release a 
2.2.1
> security/system update?

But this guy talks about security holes just by checking package version 
numbers! He dosn't look what has been done with package (debian specific 
changes including backported fixes for security holes). I often wrote 
maintainers that Debian should implement right package versions. For 
example: package in Debian has number 1.4-1. Security hole is discovered 
and it's fixed in normal 1.5 version. But when this package (1.4-1) is in 
"frozen state" there is no posibility to generate package 1.5-1 and put it 
into frozen. So maintainer backports security fix and makes package 1.4-2 
which has no security hole. But for guy like this writer (and for many 
normal users) this package has security hole. Not so many look at the 
changelogs or try exploits - they just look at package version (it's 1.4) 
and look at the advisory, in which they read that hole has been fixed in 
version 1.5 so they think that Debian is insecure. And I think this is big 
problem for most people.

_________________
Leszek Gerwatowski
BigL@tpi.pl



Reply to: