Hi Salvatore, Correct - I now have the latest version:
# dpkg --list unzip Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-===========================-==================-==================-=========================================================== ii unzip 6.0-16+deb8u2 amd64 De-archiver for .zip files I expect that you're also right about being caught up with the issue concerning mirrors getting updated, though I don't immediately see how I can verify if this is true or not. Much appreciated, Dave -----Original Message----- From: Salvatore Bonaccorso [mailto:salvatore.bonacco...@gmail.com] On Behalf Of Salvatore Bonaccorso Sent: Wednesday, 11 November 2015 4:52 PM To: David McDonald <david.mcdon...@semagroup.com.au> Cc: 'debian-security@lists.debian.org' <debian-security@lists.debian.org> Subject: Re: [SECURITY] [DSA 3386-2] unzip regression update Hi Dave, On Tue, Nov 10, 2015 at 09:54:19PM +0000, David McDonald wrote: > Thank you Salvatore & Thijs for your responses. > > I appreciate and understand your advice. > > My specific interest in the matter arose after receiving the alert. > I prepared to install the update that was listed in the e-mail and > found that the latest I could obtain (using apt-get) was the earlier > version. I investigated further to ensure the system was appropriately > up-to-date. Fortunately the web site confirmed that the version I had > obtained with apt-get addressed the particular issue identified in the > alert. > > It did, however leave me with some niggling doubts - as the difference > might be interpreted as an indication of error or omission. (Your > e-mail has, of course, dispelled such doubts). > > So, though perhaps this has been considered previously, in the > interests of improving Debian may I suggest that it might be better to > delay the e-mail until the web page is updated (or, better yet, "push" > the update of the web page)? Updating in timely matter will probably not work with the current infrastructure unless the specific website can be updated on demand (instead of the regular interval triggered). But it is inportant to us that delivered updates and debian-security-announce mail are closely followed. As you said above that you actually didn't recieved the update immediately via apt-get upgrade after the mail announce: I have sent out the advisory just after the package got installed into the archive, but I have heard from the Debian system administrators, that two security-mirrors were not updates and were only fixed later. So maybe you got hit by this issue. If you check it now, you have unzip 6.0-16+deb8u2 available via apt, right? Regards, Salvatore
