Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities

Hi,

On Fri Dec 28, 2007 at 19:19:50 -0500, Jim Popovitch wrote:
> On Fri, 2007-12-28 at 22:36 +0100, Martin Zobel-Helas wrote:
> > On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote:
> > > However, I cannot see any security announcement for most of these. Were they
> > > updated because of the security fix for tar? If yes, why doesn’t the
> > > security announcement mention that updated versions are available also for
> > > those packages?
> >
> > see http://lists.debian.org/debian-announce/debian-announce-2007/msg00004.html
>
> Martin,
>
> First, I (and many others) appreciate your and everyone else's work on
> Debian. That said, I too am confused by the latest Debian 4.0 release.
> It seems to me that, in the past, all Debian patches were released with
> DSAs (why patch w/o a DSA?), and that further updates to the core
> release (Potato, Sid, Sarge, Etch, etc) were only a roll-up of
> previously issued DSAs. I don't recall new functionality ever being
> added in a core release update bundle (although I could be wrong).

You are (mostly) wrong here. Most of the packages mentioned under "Miscellaneous Bugfixes" in the Release Announcement are just bug fixes, several of them also have CVE numbers, of which the security team thinks which are not so important to fix. Others just add missing dependencies without those the package would not be able to run. Also other packages just get RC bugs fixed.

The only package which got REAL updates this time was the Debian Linux Kernel, to support eg. SGI o2 machines. Also some (sub-)architectures were missing some important kernel modules the other (sub-)archtitectures had, so we considered that as worth for updating the kernel.

> Consider that some people, such as myself, only update servers based on
> review of public DSA statements. Yet now we find ourselves with
> multiple days of updates to multiple pkgs, but no corresponding DSA
> announcements to cross reference for validity (which can easily make one
> suspect a mirror has been hacked).

Thus we try to send out the announcement to that 'point release' very short after packages have been pushed out to the mirrors (read as in: within one day). We cannot send it directly after the dinstall process, as only the tier-1 mirrors then would have those packages, but not tier-2 and tier-3 mirrors. Also consider some mirrors only update by cron twice a day.

> Since I'm not the only one confused by the recent updates, can we get
> some clarification on this process please. Specifically, is it
> currently Debian policy to release non-critical pkg updates, i.e.
> releases without DSAs, in periodic core release rollups? (is this new or
> has it been so in the past?) Could Debian be better served by calling
> the rollup (including new non-critical updates) a new release (i.e 4.1)?

These releases are called 'point releases' and are prepared publicly. Preperation mails to these point releases are periodicly sent to debian-releases@lists.debian.org[1]. Also prior releases had 'Miscellaneous Bugfixes', see eg. [2]. The list of 'Miscellaneous Bugfixes' just got a bit bigger, as the last point releases was for various reasons not 2 but 6 month ago.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Also my predecessor, Joey Schulze, was much more strict regarding 'Miscellaneous Bugfixes', and several Debian Developers expressed the wish that his rules should be eased a bit. We are still very strict regarding these bugfixes but not as strict as he was.

I hereby will also say that these bugfixes (and point releases) will happen in future as well, so be prepared to it. You really should read debian-announce@lists.debian.org, as all these updates will be announced to that mailing list.

Hope that eMail helps a bit to clarify.

Greetings
Martin

[1] http://lists.debian.org/debian-release/2007/12/msg00203.html or

    http://lists.debian.org/debian-release/2007/12/msg00254.html

[2] http://lists.debian.org/debian-announce/debian-announce-2007/msg00003.html or

    http://lists.debian.org/debian-announce/debian-announce-2007/msg00000.html

-- 
[root@debian /root]# man real-life
No manual entry for real-life


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek