On Sun, Sep 23, 2001 at 06:39:37PM +0300, Ilkka Tuohela wrote: > > Quite true. Only thing which could cause this is that there were a severe > security flaw found with version of ssh for potato, for which a patch were > not available and only way to fix the bug were to upgrade to the 2.9 > version. This is really unprobable, anyway.
nope the security team would backport the fix. the only time they don't do that is if the fix is so complicated and ingrained in the 2.x series that backporting would be more risky and problematic then a new upstream. about the only package that quailifies there is gnupg, the security team doesn't backport fixes to that package generally, but the new upstreams only fix the security holes anyway so backporting them would be roughly equivilent to new upstream minus new version number.. > One thing users of these custom packages must remember is that their > system now has something which is not supported: if a security flaw > were found from openssh 2.9xx which doesn't exist in potato version > the user must compile a new version by themselves, it's never upgraded > with apt-get upgrade from official servers. indeed. you have to be cautious with how many packages you backport and start monitoring them yourselves. though keeping an eye on security problems is a good idea anyway since debian sometimes doesn't make security updates, or takes waaaay to long. proposed-updates has a potato libc update with only a security related change thats been there for months, also there is a procmail in proposed-updates fixing a signal vulnerability (root hole most likely since its setuid root by default), its been there for quite a while now. w3m has a hole thats only been silently fixed in i386 security.debian.org (perhaps others, powerpc has an uninstallable update). -- Ethan Benson http://www.alaska.net/~erbenson/
pgp8hBYfHOj1y.pgp
Description: PGP signature
