Gerfried Fuchs wrote:
> Hi!
>
> * Jeremy T. Bouse <jbo...@debian.org> [2010-02-01 16:12:06 CET]:
> > Gerfried Fuchs wrote:
> > > * Jeremy T. Bouse <jbo...@debian.org> [2009-11-27 19:30:47 CET]:
> > >> I am currently working on getting 1.4.4 ready to go and remove David
> > >> Gil from the package per (#551636)
> > >
> > > Actually, I'm not sure, does this address Moritz' concerns, from a
> > > security team's point of view, especially with respect to stable? I
> > > don't see any update that would have fixed the security issues for
> > > lenny, what is your plan for that?
> >
> > 1.4.4 reportedly fixes all current outstanding CVS reports. Short of
> > going and simply upgrading the old versions trying to go through the
> > code and find the specific fixes to these issues, as I've found no patch
> > files specific to the problem, would take much more time than I have
> > available when a fixed upstream version is already available in the
> > repository. 1.4.4-1 hit the unstable repository in late November and I
> > had a few fixes until 1.4.4-3 was migrated to testing just before Christmas.
>
> You are aware that maintaining a package doesn't mean only taking care
> for it in unstable but also to at least try to give the security team a
> helping hand for trying to get things straight in a stable release? I
> wonder, how severe are the issues actually? Is it better to pull the
> package from the stable release (like Moritz suggested already) if you
> don't see the posibility to get the issues fixed for stable, or do you
> consider the issues minor enough to ignore them for this time - but what
> will happen when more severe ones pop up?
An additional possibility might be to limit the scope of security support
to local, trusted users behind an authenticated HTTP zone. We're doing that
for a few applications already, e.g. sql-ledger or ocsinventory.
You wouldn't expose your accounting or hardware inventory to untrusted
users and the same should apply to IDS results.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
