Re: [bulletproof.net.au #29025] [Comment] [SECURITY] [DSA 525-1] New apache packages fix buffer overflow in mod_proxy
On Mon, Jun 28, 2004 at 12:55:58PM +1000, Lorenzo Modesto via RT wrote: > If a customer is affected we have to announce. Send it through and > I'll approve. > You guys do realise your Request Tracker setup is replying all correspondence on tickets that are being gated into RT back to the debian-security mailing list? Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why not push to stable?
On Sat, Jun 26, 2004 at 02:55:28PM +0200, martin f krafft wrote: > also sprach Andreas Barth <[EMAIL PROTECTED]> [2004.06.26.1452 +0200]: > > what's the problem with: > > deb mirror > > deb security.d.o > > > > In this case, the file is taken from the mirror if it exists already > > there, and otherwise from security.d.o. > > I understand. There is not problem. I am just wondering why the > packages aren't also put into stable. Read my reply to Mike (which > was sent after you wrote the above), please. > Methinks it's just a release practise. Until a point release of stable is made, you take stable, which is a known version, and known to be consistent, and then apply all security updates to get a secure system. If security updates got constantly pushed to stable, it'd mean Debian 3.0r2 one day wouldn't be the same as 3.0r2 the next day. Would also make CD making a bit difficult. It's kind of a similar to question to why do you we bother to release? You could just install testing on any given day. regards Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: full disclosure, or not?
On Sat, Jun 26, 2004 at 09:55:01PM +0200, Horst Pflugstaedt wrote: > > what would be the alternative? > The security team would have to annonce "there's a possible security > flaw in package XY, we're on it, but it may take some more days to fix > it" > > What's the worth of such announcements? Users (You'd) know about a bug, but > still could not do anything about it. After all, I'd strongly object > to my web-host/ISP/Sys-Admin/... switching off > apache/php/ssh/name-whatever-tool-you-really-need because they have heard of > an yet unfixed security-problem. As a sysadmin I'd like a heads up to know I have to keep my eyes peeled more than usual for a certain duration. And I'd like to make the decision of "taking down services" vs. "not taking them down, because mission critical" myself on a case to case basis. Keep me informed, and I'll be able to make informed decisions. (Substitute "I" and "myself" up there with "relevant group of people for this kind of decision-making" and "our network-using entity" up there :) ). Regs, Sven -- -Trigital- Sven Riedel . Tel: +49 511 1236364 . Fax: +49 511 1690746 . email: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
