Secure testing team - Dec 2008 - Security update for Debian Testing - 2008-12-06

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was wondering, why I don''t receive any testing security updates any
more.

secure-testing-team at lists.alioth.debian.org wrote:
[snip]
> Migrated from unstable:
> ======================> cups 1.3.8-1lenny4:
> CVE-2008-5286: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5286
>                http://bugs.debian.org/507183
[snip]
> How to update:
> --------------
> Make sure the line
> 
> 	deb http://security.debian.org lenny/updates main contrib non-free
> 
> is present in your /etc/apt/sources.list. 
# grep -v ^# /etc/apt/sources.list
deb http://ftp2.de.debian.org/debian/ lenny main contrib non-free
deb-src http://ftp2.de.debian.org/debian/ lenny main contrib non-free

deb http://volatile.debian.org/debian-volatile lenny/volatile main
contrib non-free

deb http://security.debian.org/ lenny/updates main contrib non-free
deb http://debian-multimedia.org lenny main

# apt-cache policy cups
cups:
  Installed: 1.3.8-1lenny2
  Candidate: 1.3.8-1lenny2
  Version table:
 *** 1.3.8-1lenny2 0
        500 http://ftp2.de.debian.org lenny/main Packages
        100 /var/lib/dpkg/status

It turns out that ftp2.de.debian.org is not up to date any more.

I added ftp.de.debian.org to apt''s sources and now have 35 upgradable
packages that have been missed by ftp2.de.d.o.

I have two questions:

Where should I report the problem with ftp2.de.debian.org?

Is there a recommended way of checking one''s sources.list for outdated
servers?

Thanks in advance,

Johannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkk6P8MACgkQC1NzPRl9qEVB8QCfZPQb743Ns0Cr/Ejt8P03Qsq3
+60Ani2jXHri3qIJSJaUuKMpK3nfQCmZ
=gYge
-----END PGP SIGNATURE-----

Hi!

* Johannes Wiedersich <jowied at googlemail.com> [2008-12-06 10:03:04
CET]:
> I was wondering, why I don''t receive any testing security updates
any more.
> 
> # grep -v ^# /etc/apt/sources.list
> deb http://ftp2.de.debian.org/debian/ lenny main contrib non-free
> deb-src http://ftp2.de.debian.org/debian/ lenny main contrib non-free
> 
> # apt-cache policy cups
> cups:
>   Installed: 1.3.8-1lenny2
>   Candidate: 1.3.8-1lenny2
>   Version table:
>  *** 1.3.8-1lenny2 0
>         500 http://ftp2.de.debian.org lenny/main Packages
>         100 /var/lib/dpkg/status
> 
> It turns out that ftp2.de.debian.org is not up to date any more.
 That''s not directly related to security work, though given that lenny
fixes are announced through migration from unstable to testing I totally
understand why you get that impression. :)

 I added the site admin to the addressee and hope Florian can look into
the issue and get his server back in sync. Flo, do you know what''s your
sync problem? http://ftp2.de.debian.org/debian/project/trace/ states
that you have last synced three days ago, problem with the trigger
possibly? Can you take a look?
> I added ftp.de.debian.org to apt''s sources and now have 35
upgradable
> packages that have been missed by ftp2.de.d.o.
 Something like that is a good approach as temporary workaround.
> Where should I report the problem with ftp2.de.debian.org?
 The best suited list would be debian-mirrors at lists.debian.org because
it''s a problem in the mirror network.
> Is there a recommended way of checking one''s sources.list for
outdated
> servers?
 Not really sure about that. Most services do though have these trace
files in which you could check the time of the last update they did.

 Thanks for your notice, hopefully it can get fixed soonish.
Rhonda

On Sat, Dec 06, 2008 at 11:13:41AM +0100, Gerfried Fuchs
wrote:
> * Johannes Wiedersich <jowied at googlemail.com> [2008-12-06 10:03:04
CET]:
> > I was wondering, why I don''t receive any testing security
updates any more.
> > 
> > # grep -v ^# /etc/apt/sources.list
> > deb http://ftp2.de.debian.org/debian/ lenny main contrib non-free
> > deb-src http://ftp2.de.debian.org/debian/ lenny main contrib non-free
> > 
> > # apt-cache policy cups
> > cups:
> >   Installed: 1.3.8-1lenny2
> >   Candidate: 1.3.8-1lenny2
> >   Version table:
> >  *** 1.3.8-1lenny2 0
> >         500 http://ftp2.de.debian.org lenny/main Packages
> >         100 /var/lib/dpkg/status
> > 
> > It turns out that ftp2.de.debian.org is not up to date any more.
> 
>  That''s not directly related to security work, though given that
lenny
> fixes are announced through migration from unstable to testing I totally
> understand why you get that impression. :)
> 
>  I added the site admin to the addressee and hope Florian can look into
> the issue and get his server back in sync. Flo, do you know what''s
your
> sync problem? http://ftp2.de.debian.org/debian/project/trace/ states
> that you have last synced three days ago, problem with the trigger
> possibly? Can you take a look?
I am looking right now and its syncing right now - you are right that
the trace stamp seems not to be up to date ... - cant explain right
now. From looking at the live rsync output i could imaginge that
somethings wrong with the bandwidth between me and my upstream as its
really slow ... My first guess is that something went awry with the ipv6
connectivity which i typically sync at ...

Gave rsync a -4 for now which seems to speed up the process
significantly ...

Flo
-- 
Florian Lohoff                  flo at rfc822.org             +49-171-2280134
	Those who would give up a little freedom to get a little 
          security shall soon have neither - Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081206/1d498e5e/attachment.pgp