[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Pan-users] Re: Pan and Ubuntu updates: Heads up
|
From: |
darren |
|
Subject: |
Re: [Pan-users] Re: Pan and Ubuntu updates: Heads up |
|
Date: |
Thu, 25 Dec 2008 09:58:23 -0800 |
|
User-agent: |
RoundCube Webmail/0.1.1 |
On Thu, 25 Dec 2008 09:32:06 +0000 (UTC), Duncan <address@hidden>
wrote:
> darren <address@hidden> posted
> address@hidden, excerpted below, on Wed, 24
> Dec 2008 18:50:19 -0800:
>
>> I am not sure why Hardy has not been updated to have the fix but I will
>> make a note on my calendar to poke around next week and see why it
>> didn't but the version in Intrepid /DOES/ have this fix. It was
>> synched from Debian back in July and the fix for this went into Debian
>> in June: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483562
>>
>> Here is the Changelog from the version in Intrepid:
>> http://changelogs.ubuntu.com/changelogs/pool/main/p/pan/
> pan_0.132-3.1ubuntu1/changelog
>>
>> You will see that the fix hit about 14 days after it hit Debian.
>
> So they did the patch-bump rather than grab the new version. OK, that
> works. But I think I see why they didn't bump hardy. If you check the
> log, the Debian security fix was "urgency=high", while (if I'm reading
> correctly) the Ubuntu merge including it was "urgency=low". Obvously,
> whoever merged it either didn't read the changelog for what he was
> merging and thus didn't see the "urgency=high" security fix, or he did,
> and flat disagreed with the urgency evaluation. Either way, urgency=low
> would mean there's little reason to backport and test for hardy.
>
> But I asked and I thought someone posted confirmation that 8.10
> (intrepid, I guess, as a non-Ubuntu user I have trouble keeping name-
> version linking straight) was indeed still vulnerable? I guess the
> confirmation was that it was still 0.132 and I assumed it was still
> vulnerable because I thought surely if they were running the same base
> version and had security-patched one, they'd security-patch the other,
> and they hadn't patched 8.4 so I assumed that meant that since 8.10 was
> running 0.132 as well, they hadn't security patched it either.
>
> Anyway, it's good to know that at least those who keep up with the latest
> Ubuntu version aren't vulnerable any more, even if the previous version,
> a supposed long-term support version (IIRC), is still vulnerable now
> ~seven months after the initial report, ~six months after they merged the
> patch for their next short-term support version and several other
> distributions merged their corresponding patches, and ~four months after
> those same distributions posted their corresponding security alert
> warnings.
>
> --
> Duncan - List replies preferred. No HTML msgs.
> "Every nonfree program has a lord, a master --
> and if you use the program, he is your master." Richard Stallman
>
>
While this is not a defense in my opinion, Ubuntu has this statement
regarding packages in Universe:
http://www.ubuntu.com/community/ubuntustory/components
"All of this software is compiled against the libraries and using the tools
that form part of main, so it should install and work well with the
software in main, but it comes with no guarantee of security fixes and
support. "
Packages in Universe are maintained by the MOTU team who keep the packages
up to date, I am going to try and find out who to contact with that team
next week to see about getting the patch included in Hardy (8.04).
On a side note te Fedora Bug is still showing as open so it may not have
been applied there either. Maybe someone on this list who runs Fedora can
chase that down?