Hi, let a be an architecture in sarge. Then one of the following holds for mailman in sarge r3:
- it is affected by a security problem. - it has a severity critical bug. Mailman in sid: - may or may not suffer of a security problem A security problem in Mailman in sarge patched in May has _not_ been issued a DSA. Details: There seems to have been a screw-up in handling of mailman security and stable updates: There are two different mailman packages in Debian with version number 2.1.5-8sarge3. History, in chronological order: -8sarge2 security update to fix: potential DoS attack with malformed multi-part messages (closes: #358892) [CVE-2006-0052] -8sarge3 maintainer update (that got frozen waiting for -8sarge2 to happen in order not to conflict with it) to fix bug #358575, a severity critical bug. Uploaded to stable-proposed-updates in the night from 11 to 12 April 2006, where it created problems because -8sarge1 was to be going in sarge r2, and having -8sarge3 appear confused everything. Stable update team says something along the lines of "will consider for sarge r3". -8sarge3 security update to fix: formt string vulnerability [src/common.c, debian/patches/72_CVE-2006-2191.dpatch] That security update has not been announced by a DSA, and cannot be downloaded from http://security.debian.org/pool/updates/main/m/mailman/ . I don't have access to the source of this package. It was apparently prepared by Martin "Joey" Schulze on 13 May 2006. As a maintainer of Mailman, I have no recollection of being notified of CVE-2006-2191 (it is possible I have missed the notification, but my email archives do not contain anything relevant with subject "mailman" and 2191 in the body); the CVE entry at mitre.org contains no information. I have no idea whether this security problem affects the version in sid or not, I have no precise information _what_ this security problem is. The situation right now: - sarge r3 contains mailman 2.1.5-8sarge3, but some architectures have the security update (such as i386) and others have the maintainer update (such as source, sparc and alpha). Thus all architectures are screwed up in one way or the other. - mailman 2.1.5-8sarge3 the security update is not publicly available, except for a few "select" architectures in binary form only (no source). So, please, security team, tell us about CVE-2006-2191. If appropriate, issue a DSA about it, for a package under version number -8sarge4, built on top of -8sarge3 the maintainer update. Please give us (the mailman-in-Debian maintainers) the information needed to fix CVE-2006-2191 in sid, or make a retroactive note in the changelog to note when it was fixed by a new upstream version. Stable release team, please react accordingly; you may for example do a binary sourceless NMU for the architectures that have -8sarge3 the security update so that they all have -8sarge3 the maintainer update. Thank you in advance for your participation in untangling that mess, -- Lionel Elie Mamane -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
