On Sun, 2005-09-18 at 13:12 +0200, Florian Weimer wrote:> I just noticed the following:
>
> Source Package Release Version Status
> maildrop (PTS) woody 1.3.7-2 vulnerable
> sarge 1.5.3-1.1 vulnerable
> etch (security) 1.5.3-1.1etch1 fixed
> sarge (security) 1.5.3-1.1sarge1 fixed
> etch, sid 1.5.3-2 fixed
>
> The sarge security fix has a higher version number than the testing
> security fix. I''m not sure how many users have stable-security in
> their sources.list files, but this might cause problems because
> testing-security uploads might not have the desired effect.
It should be the same patch, so at least for this instance, it should
not matter. However, this could certainly cause problems in the future,
for the following corner case:
1) foo-1.1.1-1 is found to have a security hole
2) foo-1.1.1-1sarge1 and foo-1.1.1-1etch1 are both released to fix it;
people with both sources in their list end up w/ foo-1.1.1-1sarge1
installed
3) another security hole is found; foo-1.2-1 (in sid) has not yet made
it to etch
4) foo-1.1.1-1etch2 is released; none of our users gets it installed,
since 1.1.1-1etch2 < 1.1.1-1sarge1
5) at some point, either 1.1.1-1sarge2 is released, or foo-1.2-2
(presumably with the fix included) migrates from sid. There might be a
large time lapse between those two points, however.
Perhaps it might be a good idea to start using (instead of "etchX")
".0etchX"? so, foo-1.1.1-1etch1 becomes foo-1.1.1-1.0etch1, which
ends
up being higher than foo-1.1.1-1sarge1, while still less than
foo-1.1.1-1.1 or -2.
--
Andres Salomon <dilinger@debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050918/6d4752e7/attachment.pgp