| 1 |
I would have to 100% disagree with you on this. |
| 2 |
|
| 3 |
GLSA's are to keep the end user informed about security updates. The |
| 4 |
pure existence of a security update alone should not dictate that a |
| 5 |
package is stable. Standard Q/A must still apply. |
| 6 |
|
| 7 |
x86 was just bumped to stable btw. |
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
On Mon, 2003-09-29 at 11:50, Thomas T. Veldhouse wrote: |
| 12 |
> True, but that is not acceptable for me (or many admins I suspect). An |
| 13 |
> unstable/testing security fix is itself a security risk, otherwise, it |
| 14 |
> should be marked stable (as anything sent out in a GLSA should be IMHO). |
| 15 |
> |
| 16 |
> Tom Veldhouse |
| 17 |
> |
| 18 |
> ----- Original Message ----- |
| 19 |
> From: "Ned Ludd" <solar@g.o> |
| 20 |
> To: "Thomas T. Veldhouse" <veldy@×××××.net> |
| 21 |
> Cc: "Daniel Ahlberg" <aliz@g.o>; <gentoo-security@g.o> |
| 22 |
> Sent: Monday, September 29, 2003 10:39 AM |
| 23 |
> Subject: Re: [gentoo-security] Re: [gentoo-announce] GLSA: |
| 24 |
> net-ftp/proftpd(200309-16) |
| 25 |
> |
| 26 |
> net-ftp/proftpd has not been marked stable in the portage tree as of |
| 27 |
> yet, you can however merge it if your accepting ~arch keywords. |
| 28 |
> |
| 29 |
> ACCEPT_KEYWORDS="x86 ~x86" emerge '>=net-ftp/proftpd-1.2.9_rc2' |
| 30 |
> When we get a few end user reports of it working we will mark it as |
| 31 |
> stable. |
| 32 |
> |
| 33 |
> On Mon, 2003-09-29 at 10:47, Thomas T. Veldhouse wrote: |
| 34 |
> > This is not adequate for a Gentoo stable system! |
| 35 |
> > |
| 36 |
> > # emerge '>=net-ftp/proftpd-1.2.9_rc2' |
| 37 |
> > Calculating dependencies |
| 38 |
> > !!! all ebuilds that could satisfy ">=net-ftp/proftpd-1.2.9_rc2" have been |
| 39 |
> > masked. |
| 40 |
> > |
| 41 |
> > !!! Error calculating dependencies. Please correct. |
| 42 |
> > |
| 43 |
> > Tom Veldhouse |
| 44 |
> > |
| 45 |
> > ----- Original Message ----- |
| 46 |
> > From: "Daniel Ahlberg" <aliz@g.o> |
| 47 |
> > To: <gentoo-announce@g.o>; <bugtraq@×××××××××××××.com>; |
| 48 |
> > <full-disclosure@××××××××××××.com> |
| 49 |
> > Sent: Monday, September 29, 2003 9:23 AM |
| 50 |
> > Subject: [gentoo-announce] GLSA: net-ftp/proftpd (200309-16) |
| 51 |
> > |
| 52 |
> > |
| 53 |
> > > -----BEGIN PGP SIGNED MESSAGE----- |
| 54 |
> > > Hash: SHA1 |
| 55 |
> > > |
| 56 |
> > |
| 57 |
> > - ------------------------------------------------------------------------ |
| 58 |
> > > GENTOO LINUX SECURITY ANNOUNCEMENT 200309-16 |
| 59 |
> > |
| 60 |
> > - ------------------------------------------------------------------------ |
| 61 |
> > > PACKAGE : net-ftp/proftpd |
| 62 |
> > > SUMMARY : ASCII File Remote Compromise Vulnerability |
| 63 |
> > > DATE : 2003-09-28 00:37 UTC |
| 64 |
> > > EXPLOIT : remote |
| 65 |
> > > VERSIONS AFFECTED : <proftpd-1.2.9_rc2 |
| 66 |
> > > FIXED VERSION : =proftpd-1.2.9_rc2 |
| 67 |
> > > GENTOO BUG ID : 29452 |
| 68 |
> > > CVE : none that we are aware of at this time |
| 69 |
> > |
| 70 |
> > - ------------------------------------------------------------------------ |
| 71 |
> > > |
| 72 |
> > > SUMMARY: |
| 73 |
> > > |
| 74 |
> > > ISS X-Force discovered a vulnerability that could be triggered when a |
| 75 |
> > > specially crafted file is uploaded to a proftpd server. |
| 76 |
> > > |
| 77 |
> > > Read the full advisory at: |
| 78 |
> > > http://www.proftpd.org/ |
| 79 |
> > > |
| 80 |
> > > SOLUTION: |
| 81 |
> > > |
| 82 |
> > > It is recommended that all Gentoo Linux users who are running |
| 83 |
> > > net-ftp/proftpd upgrade to proftpd-1.29_rc2 as follows |
| 84 |
> > > |
| 85 |
> > > emerge sync |
| 86 |
> > > emerge '>=net-ftp/proftpd-1.2.9_rc2' |
| 87 |
> > > emerge clean |
| 88 |
> > > |
| 89 |
> > |
| 90 |
> > - - - -------------------------------------------------------------------- |
| 91 |
> > - |
| 92 |
> > > solar@g.o |
| 93 |
> > > aliz@g.o - GnuPG key is available at http://dev.gentoo.org/~aliz |
| 94 |
> > |
| 95 |
> > - - - -------------------------------------------------------------------- |
| 96 |
> > - |
| 97 |
> > > |
| 98 |
> > > -----BEGIN PGP SIGNATURE----- |
| 99 |
> > > Version: GnuPG v1.2.3 (GNU/Linux) |
| 100 |
> > > |
| 101 |
> > > iD8DBQE/eEBbfT7nyhUpoZMRArDnAKCFlLbPmeC/S05/0EG1pqJc9BbClACgjPY6 |
| 102 |
> > > OintOPB6pXf211OQxsUC7Tg= |
| 103 |
> > > =+hmK |
| 104 |
> > > -----END PGP SIGNATURE----- |
| 105 |
> > > |
| 106 |
> > |
| 107 |
-- |
| 108 |
Ned Ludd <solar@g.o> |
| 109 |
Gentoo Linux Developer |
Archives