[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: If some package have serious bug and fixed on unstable and testing release, how long it will be available on stable release?

On Sat, Jan 30, 2021 at 05:27:30AM +0000, Robbi Nespu wrote:
> Hi
> On Fri, 29 Jan 2021 10:58:06 -0600, David Wright wrote:
> > https://security-tracker.debian.org/tracker/CVE-2021-3156
> > is a timely example of how Debian deals with such problems.
> > Note in particular the line
> > 
> >  stretch (security) 1.8.19p1-2.1+deb9u3 fixed
> > 
> > showing that stretch's version gets a fix, not an upgrade.
> How you can confirm 1.8.19p1-2.1+deb9u3 fix CVE-2021-3156?
> I could not see source code for that version here[1], I only can find
> 1.8.19p1-2.1+deb9u2 . Do source repository for security release are
> separated?
> 1. https://sources.debian.org/src/sudo/

I subscribed to the debian security announce list, so I received a
security update announce about sudo a few days ago. You can find the web
archive of this email at this link [1].

As said in the email, you can find the detailed security status of sudo
in its security tracker page at: [2]

For the source code, I can also not find the 1.8.19p1-2.1+deb9u3
version, but I noticed that there is a 1.8.27-1+deb10u3 version [3].
This is the version mentioned in the security update announce, which is
suitable for the latest stable version (Debian 10)

[1] https://lists.debian.org/debian-security-announce/2021/msg00020.html
[2] https://security-tracker.debian.org/tracker/sudo
[3] https://sources.debian.org/src/sudo/1.8.27-1+deb10u3/

OpenPGP fingerprint: 3C47 5977 4819 267E DD64  C7E4 6332 5675 A739 C74E

Attachment: signature.asc
Description: PGP signature

Reply to: