1 |
I would have to 100% disagree with you on this. |
2 |
|
3 |
GLSA's are to keep the end user informed about security updates. The |
4 |
pure existence of a security update alone should not dictate that a |
5 |
package is stable. Standard Q/A must still apply. |
6 |
|
7 |
x86 was just bumped to stable btw. |
8 |
|
9 |
|
10 |
|
11 |
On Mon, 2003-09-29 at 11:50, Thomas T. Veldhouse wrote: |
12 |
> True, but that is not acceptable for me (or many admins I suspect). An |
13 |
> unstable/testing security fix is itself a security risk, otherwise, it |
14 |
> should be marked stable (as anything sent out in a GLSA should be IMHO). |
15 |
> |
16 |
> Tom Veldhouse |
17 |
> |
18 |
> ----- Original Message ----- |
19 |
> From: "Ned Ludd" <solar@g.o> |
20 |
> To: "Thomas T. Veldhouse" <veldy@×××××.net> |
21 |
> Cc: "Daniel Ahlberg" <aliz@g.o>; <gentoo-security@g.o> |
22 |
> Sent: Monday, September 29, 2003 10:39 AM |
23 |
> Subject: Re: [gentoo-security] Re: [gentoo-announce] GLSA: |
24 |
> net-ftp/proftpd(200309-16) |
25 |
> |
26 |
> net-ftp/proftpd has not been marked stable in the portage tree as of |
27 |
> yet, you can however merge it if your accepting ~arch keywords. |
28 |
> |
29 |
> ACCEPT_KEYWORDS="x86 ~x86" emerge '>=net-ftp/proftpd-1.2.9_rc2' |
30 |
> When we get a few end user reports of it working we will mark it as |
31 |
> stable. |
32 |
> |
33 |
> On Mon, 2003-09-29 at 10:47, Thomas T. Veldhouse wrote: |
34 |
> > This is not adequate for a Gentoo stable system! |
35 |
> > |
36 |
> > # emerge '>=net-ftp/proftpd-1.2.9_rc2' |
37 |
> > Calculating dependencies |
38 |
> > !!! all ebuilds that could satisfy ">=net-ftp/proftpd-1.2.9_rc2" have been |
39 |
> > masked. |
40 |
> > |
41 |
> > !!! Error calculating dependencies. Please correct. |
42 |
> > |
43 |
> > Tom Veldhouse |
44 |
> > |
45 |
> > ----- Original Message ----- |
46 |
> > From: "Daniel Ahlberg" <aliz@g.o> |
47 |
> > To: <gentoo-announce@g.o>; <bugtraq@×××××××××××××.com>; |
48 |
> > <full-disclosure@××××××××××××.com> |
49 |
> > Sent: Monday, September 29, 2003 9:23 AM |
50 |
> > Subject: [gentoo-announce] GLSA: net-ftp/proftpd (200309-16) |
51 |
> > |
52 |
> > |
53 |
> > > -----BEGIN PGP SIGNED MESSAGE----- |
54 |
> > > Hash: SHA1 |
55 |
> > > |
56 |
> > |
57 |
> > - ------------------------------------------------------------------------ |
58 |
> > > GENTOO LINUX SECURITY ANNOUNCEMENT 200309-16 |
59 |
> > |
60 |
> > - ------------------------------------------------------------------------ |
61 |
> > > PACKAGE : net-ftp/proftpd |
62 |
> > > SUMMARY : ASCII File Remote Compromise Vulnerability |
63 |
> > > DATE : 2003-09-28 00:37 UTC |
64 |
> > > EXPLOIT : remote |
65 |
> > > VERSIONS AFFECTED : <proftpd-1.2.9_rc2 |
66 |
> > > FIXED VERSION : =proftpd-1.2.9_rc2 |
67 |
> > > GENTOO BUG ID : 29452 |
68 |
> > > CVE : none that we are aware of at this time |
69 |
> > |
70 |
> > - ------------------------------------------------------------------------ |
71 |
> > > |
72 |
> > > SUMMARY: |
73 |
> > > |
74 |
> > > ISS X-Force discovered a vulnerability that could be triggered when a |
75 |
> > > specially crafted file is uploaded to a proftpd server. |
76 |
> > > |
77 |
> > > Read the full advisory at: |
78 |
> > > http://www.proftpd.org/ |
79 |
> > > |
80 |
> > > SOLUTION: |
81 |
> > > |
82 |
> > > It is recommended that all Gentoo Linux users who are running |
83 |
> > > net-ftp/proftpd upgrade to proftpd-1.29_rc2 as follows |
84 |
> > > |
85 |
> > > emerge sync |
86 |
> > > emerge '>=net-ftp/proftpd-1.2.9_rc2' |
87 |
> > > emerge clean |
88 |
> > > |
89 |
> > |
90 |
> > - - - -------------------------------------------------------------------- |
91 |
> > - |
92 |
> > > solar@g.o |
93 |
> > > aliz@g.o - GnuPG key is available at http://dev.gentoo.org/~aliz |
94 |
> > |
95 |
> > - - - -------------------------------------------------------------------- |
96 |
> > - |
97 |
> > > |
98 |
> > > -----BEGIN PGP SIGNATURE----- |
99 |
> > > Version: GnuPG v1.2.3 (GNU/Linux) |
100 |
> > > |
101 |
> > > iD8DBQE/eEBbfT7nyhUpoZMRArDnAKCFlLbPmeC/S05/0EG1pqJc9BbClACgjPY6 |
102 |
> > > OintOPB6pXf211OQxsUC7Tg= |
103 |
> > > =+hmK |
104 |
> > > -----END PGP SIGNATURE----- |
105 |
> > > |
106 |
> > |
107 |
-- |
108 |
Ned Ludd <solar@g.o> |
109 |
Gentoo Linux Developer |