Hi, another security upgrade whose version is lower than in stable, so won't be automatically upgraded by APT: ktorrent.
* [DSA 1372-1] New ktorrent packages fix directory traversal: | Date: Tue, 11 Sep 2007 19:36:11 +0100 | | Package : ktorrent | Vulnerability : directory traversal | Problem type : remote | Debian-specific: no | CVE Id(s) : CVE-2007-1799 | Debian Bug : 432007 | | It was discovered that ktorrent, a BitTorrent client for KDE, was vulnerable | to a directory traversal bug which potentially allowed remote users to | overwrite arbitrary files. | | For the stable distribution (etch), this problem has been fixed in version | 2.0.3+dfsg1-2etch1. $ apt-cache policy ktorrent ktorrent: Installed: 2.0.3+dfsg1-2.2 Candidate: 2.0.3+dfsg1-2.2 Version table: 2.2.2.dfsg.1-1 0 -1 http://ftp.de.debian.org sid/main Packages *** 2.0.3+dfsg1-2.2 0 500 http://ftp2.de.debian.org etch/main Packages 100 /var/lib/dpkg/status 2.0.3+dfsg1-2etch1 0 500 http://security.debian.org etch/updates/main Packages $ dpkg --compare-versions 2.0.3+dfsg1-2.2 \< 2.0.3+dfsg1-2etch1 && echo true $ dpkg --compare-versions 2.0.3+dfsg1-2.2 \> 2.0.3+dfsg1-2etch1 && echo true true Like Bug#424411: "qt4-x11 security upgrade's version lower than in etch", which seems to have been silently fixed quite a while ago, the security upgrade's version seems to be based on the last "normal" upload. (2 -> 2etch1) This leaves it lower than that of the auto-built bin-NMU (2 -> 2+b1) in Bug#424411 and lower than that of the "regular" NMUs (2 -> 2.1 -> 2.2) in this case. This seems to be a common problem, and some technical fix (in the Security Team's tools? in usage of dch?) seems appropriate. Immediately use something like 2.etch1? (But might be inappropriately high in other cases.) Perhaps there could also be some tool that regularly checks whether security upgrades are really newer (version-wise) than in stable? At any rate, there should be a new upload with an upgradeable version. Regards, Fabian -- Fabian "zzz" Pietsch - http://zzz.arara.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]