Re: closing Bullseye bugs pointing to a fix in Unstable?
On Sat, Jul 23, 2022 at 11:34:45AM +0200, Thomas Schmitt wrote:
> Alexander V. Makartsev wrote:
> > Then why "nvidia-driver" in Stable was switched from previous "460.91.03-1"
> > version to "470.129.06-6~deb11u1"?
>
> https://tracker.debian.org/news/1345038/accepted-nvidia-graphics-drivers-47012906-6deb11u1bpo101-source-amd64-into-buster-backports-backports-policy-buster-backports/
> closes 24 bugs and fixes 6 CVEs.
>
> Obviously this was not a cautious detail fix by a concise patch but
> rather a switch to a new upstream release. Already the first CVE in the
> list shows that the old situation was quite desparate.
Sometimes, the only way to fix security bugs is to use a newer upstream
version. The Debian teams try hard to avoid it, but it has happened
before, and it will happen again.
A couple other packages that have a history of receiving new upstream
versions in stable, in order to fix security bugs, are samba and bind9.
Samba once received such a new version that it required users to change
their configuration files in the middle of a stable release. Annoying,
but such is the world in which we live.
Reply to: