Secure testing team - Mar 2006 - Re: <package> Buffer Overflow

> > This is just a heads up and of course not publicly disclosed yet. I
intend
> > to make a X.XX.X release really soon and publish that for when this
flaw
> > gets announced. 
[snip]
> 
> thank you. i will wait for you to publish X.XX.X.
> 
> currently, the affected version in debian are only in unstable and
> testing. the unstable version will be upgraded as soon as you publish
> X.XX.X, the testing version is not subject to strict security support.
> 
> i CCed the debian testing security group to let them correct me if
> i''m wrong.
> 
Well, the testing version *is* subject to security support, as we do it
:)

However, we only deal with publically announced security issues. An
upload to unstable with a high urgency will ensure it gets pushed into
testing asap, and if it''s stalled by anything, we''ll release a
DTSA.

As an aside, I''ve censored this mail, and asked for the original to be
removed from the archives. This email address is a public list, so
isn''t
suitable for undisclosed problems. The correct address for that is
team@security.debian.org

Regards,
Neil McGovern
-- 
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060313/0312c68a/attachment.pgp

On Mon, Mar 13, 2006 at 12:10:24PM +0000, Neil McGovern
wrote:
> > > This is just a heads up and of course not publicly disclosed yet.
I intend
> > > to make a X.XX.X release really soon and publish that for when
this flaw
> > > gets announced. 
> [snip]
> > 
> > thank you. i will wait for you to publish X.XX.X.
> > 
> > currently, the affected version in debian are only in unstable and
> > testing. the unstable version will be upgraded as soon as you publish
> > X.XX.X, the testing version is not subject to strict security support.
> > 
> > i CCed the debian testing security group to let them correct me if
> > i''m wrong.
> > 
> 
> Well, the testing version *is* subject to security support, as we do it
> :)
of course :)
> However, we only deal with publically announced security issues. An
> upload to unstable with a high urgency will ensure it gets pushed into
> testing asap, and if it''s stalled by anything, we''ll
release a DTSA.
ok. then, practically, we have nothing to do until 7.15.3 is out.
> As an aside, I''ve censored this mail, and asked for the original
to be
> removed from the archives. This email address is a public list, so
isn''t
> suitable for undisclosed problems. The correct address for that is
> team@security.debian.org
ah, thank you.

i''m surprised. i didn''t find anything about this at
http://secure-testing-master.debian.net/.  reading the debian security
faq, it looks like the debian security team and the testing one are
different entities.

indeed i expected secure-testing-team@lists.alioth.debian.org to be the
private mailing list for testing security as team@security.debian.org
is for stable.

please add a clarifying note in the "Members and contacting the team"
section. anyway, thank you.

cheers
domenico

-----[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50