logo       
<prev    next>

Re: stable vs. testing: same versions, different status: msg#00006

debian-security-tracker-debian

Subject: Re: stable vs. testing: same versions, different status

On Thu, 2 Jul 2009 12:40:45 -0400 Michael S. Gilbert wrote:

> On Tue, 30 Jun 2009 01:12:44 +0200, Francesco Poli wrote:
> > How can we make sure that those Debian patches, as long as they are
> > still needed, are retained for new upstream versions, when they are
> > packaged?
>
> this is mostly a matter of trusting the maintainer to do the requisite
> background work (applying patches from the old version if they are still
> relevant) when preparing a new upstream version. this isn't
> policyified, but one would also hope that other maintainers/users are
> reviewing the changes to make sure regressions don't happen.

Fair enough.

>
> > Moreover, how can we make sure that packages fixed in stable and
> > testing, but not in unstable, get fixed in unstable too, before a new
> > version migrates from unstable to testing?
> > Maybe by filing appropriate RC bugs?
>
> yes, if unstable is missing a security fix that is in the testing
> or stable packages, then that is a regression, and a serious bug should
> be filed.

Perfect!
I was going to file an RC bug against linux-2.6 for the following 7
vulnerabilities that are fixed in testing, but not in unstable,
according to the security tracker:

http://security-tracker.debian.net/tracker/CVE-2009-1758
http://security-tracker.debian.net/tracker/CVE-2009-1633
http://security-tracker.debian.net/tracker/CVE-2009-1630
http://security-tracker.debian.net/tracker/CVE-2009-1338
http://security-tracker.debian.net/tracker/CVE-2009-1242
http://security-tracker.debian.net/tracker/CVE-2009-0835
http://security-tracker.debian.net/tracker/CVE-2009-0834

However, while reviewing the CVE descriptions on http://cve.mitre.org/,
I noticed that all of them seem to only affect Linux kernel upstream
versions < 2.6.30.

Could someone check that linux-2.6/2.6.30-1 (currently in unstable) is
really fixed w.r.t. to the above-mentioned CVEs and possibly update the
security tracker to reflect reality?

Thanks in advance.


--
New location for my website! Update your bookmarks!
http://www.inventati.org/frx
..................................................... Francesco Poli .
GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4

Attachment: pgp94IfIwr8U6.pgp
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  DSA-1825-1 vs. tracker, Francesco Poli
Next by Date:  Re: stable vs. testing: same versions, different status, Michael S. Gilbert
Previous by Thread:  Re: stable vs. testing: same versions, different status, Michael S. Gilbert
Next by Thread:  Re: stable vs. testing: same versions, different status, Michael S. Gilbert
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
News | Mail Home | sitemap | FAQ | advertise