Re: to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)
I found this on debian-www list.
In <[🔎] 20000529135901.A1377@mors.wiggy.net>,
at "Mon, 29 May 2000 13:59:02 +0200",
Wichert Akkerman <email@example.com> writes:
> > While a quick grep of debian-changes for this month and April for
> > "security" finds:
> Lets ignore all the ones from potato and woody, we don't support that.
> That leaves:
> > nmh (0.27-0.28-pre8-4) stable; urgency=high
> > * Applied patch to fix security hole which allowed untrusted shell
> > code to be executed.
> These two were announced, no idea why they show up with a later date.
This reminds me that I have prepared to do the source NMU of mh for slink,
but I had been waiting the reaction from the maintainer.
The mh in slink (6.8.4-28) has the bug described in Bug#59891.
I think we should supply the security fix version of mh to not only
the potato, but also the slink. I will upload the rebuild version of
potato mh for slink, as mh_6.8.4-JP-3.03-32.0slink1.
(This is considered as the new upstream version, and it was one
of reasons that I hesitated to upload the fixed package soon.
I do not have the time to make the backport patch for the older
version of mh now.)
This package was built as the source NMU, so the maintainer
field was set to ejb (the maintainer of potato mh at that time),
but it is the same as the potato mh, so this will make no problem,
Taketoshi Sano: <firstname.lastname@example.org>,<email@example.com>,<firstname.lastname@example.org>