[Secure-testing-team] Another syntax addition: <removed>
Moritz Muehlenhoff
jmm at inutil.org
Tue Oct 4 19:17:01 UTC 2005
Florian Weimer wrote:
> > Moritz Muehlenhoff wrote:
> >> consider the following case: Package foo has a bug, the bug affects stable
> >> or oldstable, but the fix for sid/testing consists in the removal of foo
> >> or it has already been removed for other reasons.
> >> <not-affected> doesn't fit, because older releases of Debian _are_ affected,
> >> while the issue is no longer relevant for testing/sid. The solution is
> >> a new "solution state" <removed>. Please adapt external scripts for this
> >> new token; it'll be used soon. (bidwatcher, libsafe)
> >
> > IMHO the correct thing to do is to mark it as unfixed. Then if it
> > somehow re-enters testing later from sid, we will see it and go make
> > sure the new version is fixed.
>
> For the record, I agree.
>
> Moritz, I don't understand which problem you are trying to solve. If
> the package is not present in testing, it's not vulnerable.
CAN-2005-XXXX [Buffer overflow in Description parsing]
- bidwatcher <unfixed> (bug #319489; high)
woody, sarge:
Affected, fix in the hands of the security team, not of interest for us.
<not-affected> is not correct.
etch, sid:
The fix is to remove the package permanantly from the archive, as it's broken
anyway. This is a "fix", as etch will not be affected, but not a complete fix
for those who still have bidwatcher installed. So this marks a package as
addressed, only not with a patch, but with a big hammer.
Plus, <removed> allows tsck to generate warnings for those, who still have the
package installed (the respective dselect section is rather unknown to most
users).
Cheers,
Moritz
More information about the Secure-testing-team
mailing list