Hi Antoine, Am 16.12.2016 um 15:15 schrieb Antoine Beaupré: > I am looking at recent nagios3 vulnerabilities and I can't make sense of > this: > > nagios3 (3.4.1-3+deb7u1) wheezy; urgency=low > > [...] > > -- Jonas Meurer <m...@debian.org> Fri, 01 Nov 2013 14:32:18 +0100 > > https://tracker.debian.org/media/packages/n/nagios3/changelog-3.4.1-5~bpo7%2B1 > > nagios3 (3.4.1-5~bpo7+1) wheezy-backports; urgency=low > > * Backport for wheezy. > > -- Jonas Meurer <m...@debian.org> Fri, 01 Nov 2013 11:59:02 +0100 > > https://tracker.debian.org/media/packages/n/nagios3/changelog-3.4.1-3%2Bdeb7u1 > > Why did you upload almost identical versions of nagios3 to > wheezy-backports *and* wheezy at the time?
I agree that this doesn't make sense without context. Reason for both uploads was to fix CVE-2013-2214 in wheezy. I remember that back then I was unsure whether an upload to wheezy would have been accepted by the stable release managers after it got rejected by the security team.[1] Thus I first did the backport in order to have a fixed version available for wheezy at all. Shortly after, I got the approval by the stable release managers to go for the 3.4.1-3+deb7u1 upload to wheezy. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714171 > It will make updating this for the security issues much harder than it > should be. > > Could you arrange for the backport to be updated or removed? I see that the current situation with a higher nagios3 version in backports than in wheezy-security is not very nice. I'll ping the backports ftpmasters and ask for removal of nagios3 from wheezy-backports. Cheers, jonas
signature.asc
Description: OpenPGP digital signature