Third time lucky! Note, set forwarding to inline in Thunderbird if you
want to forward to the ilug list!
Paul Jakma wrote:
> On Wed, 8 Sep 2004, Niall Walsh wrote:
>>> By debian standards you lose them (you get to update your packages
>> not security updates), by any other distributions standards you are
>> probably still far far ahead of the game!
>>>> Hmmm.. I read LWN, and I have the vague notion Debian is, more often
> than not, not the speediest to release security updates. If someone
> knew of a URL to a more rigorous analysis, that would be interesting,
> or they could trawl through:
>>http://lwn.net/Vulnerabilities/>Well a Microsoft funded piece our PRO pointed me at recently certainly
suggested Debian was best :-) Of course I think it is extremely
difficult for anyone to do a fair analysis on these sorts of stats.
> Some of the more interesting IDs, eg commonly used software, are:
>>http://lwn.net/Vulnerabilities/100607/>http://lwn.net/Vulnerabilities/94732/>http://lwn.net/Vulnerabilities/100358/>http://lwn.net/Vulnerabilities/97725/>http://lwn.net/Vulnerabilities/96389/>http://lwn.net/Vulnerabilities/93071/> etc..
>#100607 Created 2nd September 2004
http://packages.debian.org/changelogs/pool/main/a/apache2/apache2_2.0.50-12/changelog
apache2 (2.0.50-11) unstable; urgency=high
* Add two patches from upstream to address two vulnerabilities in mod_ssl:
- CAN-2004-0748 is a potential infinite loop in the SSL input filter
which can be triggered by an aborted connection.
- CAN-2004-0751 is a potential segfault in the SSL input filter which
can be triggered by the response to request which is proxied to a
remote SSL server.
-- Adam Conrad <XXXXXXXXXXXX> Mon, 23 Aug 2004 19:25:50 -0600
#94732 Created 22nd July 2004
http://packages.debian.org/changelogs/pool/main/s/samba/samba_3.0.6-3/changelog
samba (3.0.5-1) unstable; urgency=high
* New upstream version. Urgency "high" because of potential buffer
overflows. The security fixes are the only difference between
3.0.4 and 3.0.5.
-- Eloy A. Paris <XXXXXXXXXXX> Thu, 22 Jul 2004 08:07:36 -0400
#100358 Created 1st September 2004
Not sure about this one!
#97725 Created 12th August 2004
http://packages.debian.org/changelogs/pool/main/g/gaim/gaim_0.82.1-1/changelog
gaim (1:0.81-3) unstable; urgency=high
* debian/patches/msn-fixes-CAN-2004-0500.patch:
- patch from SUSE to fix CAN-2004-0500
-- Robert McQueen <XXXXXXXXXXX> Fri, 13 Aug 2004 10:54:10 +0100
#96389 Created 3rd August 2004
http://packages.debian.org/changelogs/pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-5/changelog
kernel-source-2.6.8 (2.6.8-1) unstable; urgency=high
-- Andres Salomon <XXXXXXXXXXXX> Sat, 14 Aug 2004 02:40:50 -0400
#93071 Created 9th July 2004
DSA-528-1 2004-07-17
So from your list one of the kernel items may or may not be outstanding
depending on whether debian kernels are impacted?
> For those where no debian advisory is listed: it could partly be due
> to debian not shipping affected versions of the software, but some of
> the vulnerabilities above affect wide-ranging swathes of versions of
> the software concerned.
>I'm fairly certain debian only releases security advisories for packages
in stable. If an issue doesn't effect stable, no advisory will be
released and the problem will simply be fixed by a urgency=high upload
to unstable.
>> Niall Walsh
>>>> regards,
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
