[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Pan-users] Re: Pan and Ubuntu updates: Heads up
From: |
Duncan |
Subject: |
[Pan-users] Re: Pan and Ubuntu updates: Heads up |
Date: |
Thu, 25 Dec 2008 09:32:06 +0000 (UTC) |
User-agent: |
Pan/0.133 (House of Butterflies) |
darren <address@hidden> posted
address@hidden, excerpted below, on Wed, 24
Dec 2008 18:50:19 -0800:
> I am not sure why Hardy has not been updated to have the fix but I will
> make a note on my calendar to poke around next week and see why it
> didn't but the version in Intrepid /DOES/ have this fix. It was
> synched from Debian back in July and the fix for this went into Debian
> in June: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483562
>
> Here is the Changelog from the version in Intrepid:
> http://changelogs.ubuntu.com/changelogs/pool/main/p/pan/
pan_0.132-3.1ubuntu1/changelog
>
> You will see that the fix hit about 14 days after it hit Debian.
So they did the patch-bump rather than grab the new version. OK, that
works. But I think I see why they didn't bump hardy. If you check the
log, the Debian security fix was "urgency=high", while (if I'm reading
correctly) the Ubuntu merge including it was "urgency=low". Obvously,
whoever merged it either didn't read the changelog for what he was
merging and thus didn't see the "urgency=high" security fix, or he did,
and flat disagreed with the urgency evaluation. Either way, urgency=low
would mean there's little reason to backport and test for hardy.
But I asked and I thought someone posted confirmation that 8.10
(intrepid, I guess, as a non-Ubuntu user I have trouble keeping name-
version linking straight) was indeed still vulnerable? I guess the
confirmation was that it was still 0.132 and I assumed it was still
vulnerable because I thought surely if they were running the same base
version and had security-patched one, they'd security-patch the other,
and they hadn't patched 8.4 so I assumed that meant that since 8.10 was
running 0.132 as well, they hadn't security patched it either.
Anyway, it's good to know that at least those who keep up with the latest
Ubuntu version aren't vulnerable any more, even if the previous version,
a supposed long-term support version (IIRC), is still vulnerable now
~seven months after the initial report, ~six months after they merged the
patch for their next short-term support version and several other
distributions merged their corresponding patches, and ~four months after
those same distributions posted their corresponding security alert
warnings.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman