[Pkg-kde-extras] Bug#432007: security upgrade's version lower than in stable, no APT upgrades

Fabian Pietsch fabian at canvon.dyndns.org
Sun Sep 16 04:03:47 UTC 2007


Hi,

another security upgrade whose version is lower than in stable, so won't
be automatically upgraded by APT: ktorrent.

* [DSA 1372-1] New ktorrent packages fix directory traversal:
| Date: Tue, 11 Sep 2007 19:36:11 +0100
| 
| Package        : ktorrent
| Vulnerability  : directory traversal
| Problem type   : remote
| Debian-specific: no
| CVE Id(s)      : CVE-2007-1799
| Debian Bug     : 432007
| 
| It was discovered that ktorrent, a BitTorrent client for KDE, was vulnerable
| to a directory traversal bug which potentially allowed remote users to
| overwrite arbitrary files.
| 
| For the stable distribution (etch), this problem has been fixed in version
| 2.0.3+dfsg1-2etch1.

$ apt-cache policy ktorrent
ktorrent:
  Installed: 2.0.3+dfsg1-2.2
  Candidate: 2.0.3+dfsg1-2.2
  Version table:
     2.2.2.dfsg.1-1 0
         -1 http://ftp.de.debian.org sid/main Packages
 *** 2.0.3+dfsg1-2.2 0
        500 http://ftp2.de.debian.org etch/main Packages
        100 /var/lib/dpkg/status
     2.0.3+dfsg1-2etch1 0
        500 http://security.debian.org etch/updates/main Packages
                                                                                                                                                               $ dpkg --compare-versions 2.0.3+dfsg1-2.2 \< 2.0.3+dfsg1-2etch1 && echo true
$ dpkg --compare-versions 2.0.3+dfsg1-2.2 \> 2.0.3+dfsg1-2etch1 && echo true
true

Like Bug#424411: "qt4-x11 security upgrade's version lower than in etch",
which seems to have been silently fixed quite a while ago, the security
upgrade's version seems to be based on the last "normal" upload.
(2 -> 2etch1)

This leaves it lower than that of the auto-built bin-NMU (2 -> 2+b1) in
Bug#424411 and lower than that of the "regular" NMUs (2 -> 2.1 -> 2.2)
in this case.

This seems to be a common problem, and some technical fix (in the
Security Team's tools? in usage of dch?) seems appropriate. Immediately
use something like 2.etch1? (But might be inappropriately high in other
cases.)

Perhaps there could also be some tool that regularly checks whether
security upgrades are really newer (version-wise) than in stable?

At any rate, there should be a new upload with an upgradeable version.

Regards, Fabian

-- 
Fabian "zzz" Pietsch - http://zzz.arara.de/





More information about the pkg-kde-extras mailing list