Re: rssh update
Brought to you by:
xystrus
From: Tim C. <tj...@sa...> - 2006-07-18 11:10:59
|
On 18 Jul 2006, at 11:31 am, richard lucassen wrote: > Hello list, > > On Bugtraq I saw this Debian update for rssh, but on the homepage I > can't find anything. It says that "Russ Albery" found a bug in rssh, > but according to the rssh homepage the last bugfix was from january 6 > 2006 and was discovered by Max Vozeler. Is the pizzashack.org website > up2date? Don't panic. It's fixed in Derek's code too. Speaking as a Debian developer, let me explain how Debian's security update process works. Essentially, Debian *never* upgrades to a new upstream version in order to fix a security bug. The reason for this is that we don't want to introduce any new bugs, or unexpected functionality changes, that such an upgrade might bring. Instead, any upstream fix is backported to the current stable release code, and released with a new Debian packaging number. Only when Debian performs a major stable release (for example the move from sarge to etch, currently slated for November this year) are new versions brought in from upstream. If you read the bug report at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346322 You will see that Derek fixed this when he released rssh 2.3.2. Debian have their own fix in 2.2.3, which is the version currently in the stable tree. Tim |