Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
* Michael Gilbert: > The problem here appears to be the jump to the new upstream version > (1.8.2 to 1.8.13), which has a different dependency set. The actual problem was that the dependency set was initially different (it included additional, incorrect dependencies). This was corrected, and upgrades and installation of the new version were tested again. Due to the dpkg/apt-get split, I installed the dependencies manually on a clean system, and erroneously included the wwwconfig-common dependency, even though the updated package lacked that. As a result, I missed the dropped dependency. > New upstreams are usually disallowed in security uploads. The > question is why was that OK in this case, rather than the standard > backporting approach? If upstream provides a stable branch which focuses on bug fixes, we might also use that. This is a per-package decisions. Other packages for which we generally follow this approach are BIND and PostgreSQL. In some sense, this also applies to the linux-2.6 package. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87y6a3w2w7@mid.deneb.enyo.de
Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
On Mon, 11 Oct 2010 10:39:37 -0500, Jordon Bedwell wrote: > On Mon, 2010-10-11 at 11:15 -0400, Michael Gilbert wrote: > > I highly doubt that there is anything malicious going on here, and there > > is always the "Debian does not hide problems" mantra. The simplest, > > and most-likely explanation is that it was easier to update to the new > > upstream, rather than attempt to backport fixes for 11 separate issues. > > Why assume somebody meant something malicious? I implied, that perhaps > there were smaller security upgrades which would have justified a > version jump... Really guy. If there are smaller known security issues that were fixed in the upload but not mentioned in the DSA, which there aren't, then that would be a case of hiding problems. The implication there would be that security team members are intentionally hiding info about issues, which they aren't. However, if that were happening, the only way to interpret that would be as malicious. > The serious problem with you assuming I implied that something malicious > is going on is the fact that we can pull the source that he uploaded to > Debian directly from Debian and view it. OK, so do that before making an unfounded claim that there is more to the issue than you're being told. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101011120415.f21cbba1.michael.s.gilb...@gmail.com
Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
On Mon, 2010-10-11 at 11:15 -0400, Michael Gilbert wrote: > I highly doubt that there is anything malicious going on here, and there > is always the "Debian does not hide problems" mantra. The simplest, > and most-likely explanation is that it was easier to update to the new > upstream, rather than attempt to backport fixes for 11 separate issues. Why assume somebody meant something malicious? I implied, that perhaps there were smaller security upgrades which would have justified a version jump... Really guy. The serious problem with you assuming I implied that something malicious is going on is the fact that we can pull the source that he uploaded to Debian directly from Debian and view it. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1286811577.22195.2.ca...@envygeeks
Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
On Mon, 11 Oct 2010 09:46:04 -0500, Jordon Bedwell wrote: > On Mon, 2010-10-11 at 10:40 -0400, Michael Gilbert wrote: > > The problem here appears to be the jump to the new upstream version > > (1.8.2 to 1.8.13), which has a different dependency set. New > > upstreams are usually disallowed in security uploads. The question > > is why was that OK in this case, rather than the standard backporting > > approach? > > Perhaps there was more to this "security problem" than they're telling > us? I highly doubt that there is anything malicious going on here, and there is always the "Debian does not hide problems" mantra. The simplest, and most-likely explanation is that it was easier to update to the new upstream, rather than attempt to backport fixes for 11 separate issues. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2010101548.1afb4e4c.michael.s.gilb...@gmail.com
Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
On Mon, 2010-10-11 at 10:40 -0400, Michael Gilbert wrote: > The problem here appears to be the jump to the new upstream version > (1.8.2 to 1.8.13), which has a different dependency set. New > upstreams are usually disallowed in security uploads. The question > is why was that OK in this case, rather than the standard backporting > approach? Perhaps there was more to this "security problem" than they're telling us? Something we would need to figure out by checking upstream? The only way to find out for sure is if we forward this thread to the package maintainer and ask him to speak out about what is going on. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1286808364.18776.1.ca...@envygeeks
Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
On Mon, 11 Oct 2010 14:14:41 +0100, Ian Jackson wrote:
> Florian Weimer writes ("[SECURITY] [DSA-2115-2] New moodle packages fix
> several vulnerabilities"):
> > DSA-2115-1 introduced a regression because it lacked a dependency on
> > the wwwconfig-common package, leading to installations problems. This
> > update addresses this issue. For reference, the text of the original
> > advisory is provided below.
>
> This is the second recent regression in a security update. I'm sure
> you'll all agree that this is bad. It's a shame, because Debian
> security updates have historically had a very good reputation.
>
> Is there anything that I could do to help with improving things to
> avoid this happening again ?
>
> A traditional approach might be to hold a postmortem to try to find
> the chain of events, identify root causes, and make recommendations
> (whether to the Security Team or to others in the project). Has
> anything like that been done in this case ?
The problem here appears to be the jump to the new upstream version
(1.8.2 to 1.8.13), which has a different dependency set. New
upstreams are usually disallowed in security uploads. The question
is why was that OK in this case, rather than the standard backporting
approach?
Best wishes,
Mike
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/20101011104029.1ac6c88a.michael.s.gilb...@gmail.com
Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
Florian Weimer writes ("[SECURITY] [DSA-2115-2] New moodle packages fix several
vulnerabilities"):
> DSA-2115-1 introduced a regression because it lacked a dependency on
> the wwwconfig-common package, leading to installations problems. This
> update addresses this issue. For reference, the text of the original
> advisory is provided below.
This is the second recent regression in a security update. I'm sure
you'll all agree that this is bad. It's a shame, because Debian
security updates have historically had a very good reputation.
Is there anything that I could do to help with improving things to
avoid this happening again ?
A traditional approach might be to hold a postmortem to try to find
the chain of events, identify root causes, and make recommendations
(whether to the Security Team or to others in the project). Has
anything like that been done in this case ?
Ian.
offering to help - this is not a brickbat
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/19635.3521.655481.658...@chiark.greenend.org.uk
Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
Sehr geehrte Damen und Herren, leider ist mein Büro im Zeitraum vom 04.10. bis zum 10.10. nicht besetzt. Ihre Nachricht wird nicht weitergeleitet. Sie erreichen mich in dringenden Fällen unter der Mobilfunknummer: 0170-98 91 243 Mit freundlichen Grüßen, Florian Michel -- Heliomedia Dipl.-Inform. Florian Michel Sangstr. 7 57299 Burbach Tel. 0 27 39 - 80 30 04 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101011052330.5953.qm...@h1370841.stratoserver.net
