In <slrniabget.2pl.jo...@alea.gnuu.de>, Jörg Sommer wrote: >on a lenny system with the package git-core installed from the security >repository, debsecan marks CVE-2010-2542 as not fixed. In the last weeks, >I saw different versions popping up. At least, on claims to fix >CVE-2010-2542.
A new Debian package of git-core was prepared for stable and included in the 5.0.6 update to Lenny. This version addressed the permissions issue, but it hadn't spent any (much?) time in stable-proposed-updates or the security repository. Unfortunately, the i386 package was built in an odd environment, so git-core in current Lenny (5.0.6) on i386 is broken (can't clone or init due to overly restrictive permissions). Stable is *only* updated at point releases, so git-core in Lenny (on i386) will be broken until 5.0.7 is released. As users of the package know, this is a fairly major regression over a relatively minor security issue. Because of the severity of the issue, new versions of git-core were/are going to be made through (at least) the security and volatile repositories and possibly stable-proposed-updates and backports as well. Bug #595728 documents most of this, and it may have been updated since last time I researched the issue. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
signature.asc
Description: This is a digitally signed message part.
