Thank you Salvatore & Thijs for your responses. I appreciate and understand your advice.
My specific interest in the matter arose after receiving the alert. I prepared to install the update that was listed in the e-mail and found that the latest I could obtain (using apt-get) was the earlier version. I investigated further to ensure the system was appropriately up-to-date. Fortunately the web site confirmed that the version I had obtained with apt-get addressed the particular issue identified in the alert. It did, however leave me with some niggling doubts - as the difference might be interpreted as an indication of error or omission. (Your e-mail has, of course, dispelled such doubts). So, though perhaps this has been considered previously, in the interests of improving Debian may I suggest that it might be better to delay the e-mail until the web page is updated (or, better yet, "push" the update of the web page)? Irrespective, many thanks again to both of you and to the Debian community as a whole for all the work, the immense amount of work, that goes into making Debian such a wonderful distro. Dave McDonald -----Original Message----- From: Salvatore Bonaccorso [mailto:salvatore.bonacco...@gmail.com] On Behalf Of Salvatore Bonaccorso Sent: Tuesday, 10 November 2015 8:46 PM To: David McDonald <david.mcdon...@semagroup.com.au> Cc: 'debian-security@lists.debian.org' <debian-security@lists.debian.org> Subject: Re: [SECURITY] [DSA 3386-2] unzip regression update Hi David, On Tue, Nov 10, 2015 at 08:59:04AM +0100, Thijs Kinkhorst wrote: > Hi David, > > On Mon, November 9, 2015 23:25, David McDonald wrote: > > Hi Salvatore, > > > > Your e-mail below states: > > > > "For the stable distribution (jessie), this problem has been fixed > > in version 6.0-16+deb8u2" (Note bene the last digit) > > > > However, https://www.debian.org/security/2015/dsa-3386 states: > > > > "For the stable distribution (jessie), these problems have been > > fixed in version 6.0-16+deb8u1" > > The website is updated periodically so it can take a short while > before it reflects the update that was sent out in the email. Just an additional note on the version numbers: the 6.0-16+deb8u1 was the version which fixed the security isses with CVE. 6.0-16+deb8u2 is an additional update which fixes a regression when extracting 0-byte files. So what the webpage reflects is the version where the security issues were fixed. Hope this helps! Regards, Salvatore
