Secure testing team - Jul 2006 - Question about CVE-2006-1513

Hi!

A naive question about an issue that I found on the security bug
tracker[1]: CVE-2006-1513[2] is listed as fixed in stable and oldstable
by DSA-1041-1, but is still considered unfixed in testing and unstable.
On the other hand the issue is fixed in stable-security by version
1.3.3-3sarge1, while unstable and testing still have version 1.3.3-3
(which is vulnerable).
Isn''t it possible to just forward-port 1.3.3-3sarge1 to unstable (as
version 1.3.3-4) and to testing-security (as version 1.3.3-3etch1)?

What do I fail to understand?

[1] http://idssi.enyo.de/tracker/
[2] http://idssi.enyo.de/tracker/CVE-2006-1513

-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060702/f4221abe/attachment.pgp

* Francesco Poli:
> A naive question about an issue that I found on the security bug
> tracker[1]: CVE-2006-1513[2] is listed as fixed in stable and oldstable
> by DSA-1041-1, but is still considered unfixed in testing and unstable.
> On the other hand the issue is fixed in stable-security by version
> 1.3.3-3sarge1, while unstable and testing still have version 1.3.3-3
> (which is vulnerable).
> Isn''t it possible to just forward-port 1.3.3-3sarge1 to unstable
(as
> version 1.3.3-4) and to testing-security (as version 1.3.3-3etch1)?
See this thread on debian-devel:

  <http://lists.debian.org/debian-devel/2006/06/msg00877.html>

I believe this is the same issue.

On Sun, 02 Jul 2006 16:33:29 +0200 Florian Weimer wrote:
> * Francesco Poli:
> 
> > A naive question about an issue that I found on the security bug
> > tracker[1]: CVE-2006-1513[2] is listed as fixed in stable and
> > oldstable by DSA-1041-1, but is still considered unfixed in testing
> > and unstable. On the other hand the issue is fixed in
> > stable-security by version 1.3.3-3sarge1, while unstable and testing
> > still have version 1.3.3-3 (which is vulnerable).
> > Isn''t it possible to just forward-port 1.3.3-3sarge1 to
unstable (as
> > version 1.3.3-4) and to testing-security (as version 1.3.3-3etch1)?
> 
> See this thread on debian-devel:
> 
>   <http://lists.debian.org/debian-devel/2006/06/msg00877.html>
> 
> I believe this is the same issue.
It seems so.
I went rapidly through the whole thread: IIUC, there''s a bug in
dinstall
that prevents updates like this to propagate from stable-security to
unstable and testing.
I hope it can be fixed soon.

Maybe, in the meantime, it would be a good idea to upload abc2ps
1.3.3-3sarge1 to unstable (and/or to testing-security) as version
1.3.3-4, anyway...
Or am I missing something (else)?

-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060702/cd2e314e/attachment.pgp