pan-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Pan-users] Re: Pan and Ubuntu updates: Heads up

From: Duncan
Subject: [Pan-users] Re: Pan and Ubuntu updates: Heads up
Date: Thu, 25 Dec 2008 09:32:06 +0000 (UTC)
User-agent: Pan/0.133 (House of Butterflies) 
darren <address@hidden> posted
address@hidden, excerpted below, on  Wed, 24
Dec 2008 18:50:19 -0800:

> I am not sure why Hardy has not been updated to have the fix but I will
> make a note on my calendar to poke around next week and see why it
> didn't but the version in Intrepid /DOES/ have this fix.   It was
> synched from Debian back in July and the fix for this went into Debian
> in June: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483562
> 
> Here is the Changelog from the version in Intrepid:
> http://changelogs.ubuntu.com/changelogs/pool/main/p/pan/
pan_0.132-3.1ubuntu1/changelog
> 
> You will see that the fix hit about 14 days after it hit Debian.

So they did the patch-bump rather than grab the new version.  OK, that 
works.  But I think I see why they didn't bump hardy.  If you check the 
log, the Debian security fix was "urgency=high", while (if I'm reading 
correctly) the Ubuntu merge including it was "urgency=low".  Obvously, 
whoever merged it either didn't read the changelog for what he was 
merging and thus didn't see the "urgency=high" security fix, or he did, 
and flat disagreed with the urgency evaluation.  Either way, urgency=low 
would mean there's little reason to backport and test for hardy.

But I asked and I thought someone posted confirmation that 8.10 
(intrepid, I guess, as a non-Ubuntu user I have trouble keeping name-
version linking straight) was indeed still vulnerable?  I guess the 
confirmation was that it was still 0.132 and I assumed it was still 
vulnerable because I thought surely if they were running the same base 
version and had security-patched one, they'd security-patch the other, 
and they hadn't patched 8.4 so I assumed that meant that since 8.10 was 
running 0.132 as well, they hadn't security patched it either.

Anyway, it's good to know that at least those who keep up with the latest 
Ubuntu version aren't vulnerable any more, even if the previous version, 
a supposed long-term support version (IIRC), is still vulnerable now 
~seven months after the initial report, ~six months after they merged the 
patch for their next short-term support version and several other 
distributions merged their corresponding patches, and ~four months after 
those same distributions posted their corresponding security alert 
warnings.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman
reply via email to
[Prev in Thread] Current Thread [Next in Thread]