On Sat, Jul 23, 2022 at 11:34:45AM +0200, Thomas Schmitt wrote: > Alexander V. Makartsev wrote: > > Then why "nvidia-driver" in Stable was switched from previous "460.91.03-1" > > version to "470.129.06-6~deb11u1"? > > > https://tracker.debian.org/news/1345038/accepted-nvidia-graphics-drivers-47012906-6deb11u1bpo101-source-amd64-into-buster-backports-backports-policy-buster-backports/ > closes 24 bugs and fixes 6 CVEs. > > Obviously this was not a cautious detail fix by a concise patch but > rather a switch to a new upstream release. Already the first CVE in the > list shows that the old situation was quite desparate.
Sometimes, the only way to fix security bugs is to use a newer upstream version. The Debian teams try hard to avoid it, but it has happened before, and it will happen again. A couple other packages that have a history of receiving new upstream versions in stable, in order to fix security bugs, are samba and bind9. Samba once received such a new version that it required users to change their configuration files in the middle of a stable release. Annoying, but such is the world in which we live.
