Quoting Steve Kemp ([EMAIL PROTECTED]): > On Sun, Jul 23, 2006 at 06:16:00PM +0200, Christian Perrier wrote: > > Hello dear Security team (and ftpmasters, and shadow package maintainers), > > > > Being back from 2 days holiday I discover CVE-2006-3378 which has just > > been revealed to our attention (#359174 in the BTS). > > I guess you mean #379174 here?
Yeah, sorry. The stress of discovering this after a quiet 2-days week-end can explain, I think. > > > What I propose to you, as soon as we have a fix for CVE-2006-3378: > > > > > > -urgently destroy 4.0.3-31sarge6 and 31sarge7 from the > > proposed-updates queue. Need ftpmasters collaboration with high urgency > > -the security team, or the shadow package team, prepares > > 4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE* > > -the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and > > sends it to the proposed-updates queue so that it can be picked by the > > SRM team when they're ready to update sarge > > > > Sounds fine from the security point of view. Once a patch is > available at least. Waiting for it, yes. The first key point is the ftpmaster action...It will make things clearer and avoid a big mess.
signature.asc
Description: Digital signature
