to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)

To: debian-devel@lists.debian.org, debian-security-private@lists.debian.org, joey@debian.org, wakkerma@debian.org
Cc: debian-www@lists.debian.org
Subject: to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)
From: Joey Hess <joeyh@debian.org>
Date: Sun, 28 May 2000 22:56:33 -0700
Message-id: <[🔎] 20000528225633.L6106@kitenet.net>
Mail-followup-to: debian-devel@lists.debian.org, debian-security-private@lists.debian.org, joey@debian.org, wakkerma@debian.org, debian-www@lists.debian.org

Ok, since nobody from the security team replied to my earlier question,
all I can do is ask it again:

Why is the last security update listed on the www.debian.org web page,
and the last security announcement posted to debian-security-announce,
from way back in March? 

I know there have been more recent security updates, based on the thread
that resulted from my question. A lot of them. So why is the security
team not doing anything to get those announced?

Again, the web site says:

                       [28 Mar 2000] dump - 
                            reported exploit in dump
                       [09 Mar 2000] mtr - 
                            possible local exploit in mtr
                       [28 Feb 2000] nmh - 
                            remote exploit in nmh
                       [26 Feb 2000] htdig - 
                            remote users can read files with webserver uid
                       [14 Feb 2000] make - 
                            symlink attack in make
                       [01 Feb 2000] apcd - 
                            symlink attack in apcd

While a quick grep of debian-changes for this month and April for
"security" finds:

imap (4.7c-1) frozen; urgency=high
  * SECURITY: addresses buffer overflow problems mentioned on BugTraq

zope (2.1.6-1) frozen; urgency=high
  * To the release manager: As you can see from changelog.gz, 2.1.6
    and 2.1.5 were bug fix releases only. Among the fixed bugs are
    two fixes for potential security holes, therefore I think this
    release should go into potato:
        - Fixed a bug that could allow someone with a lot of Zope zen
          to change the apparent AUTHENTICATED_USER to access things
          that they shouldn't.
        - Fixed a potential security hole that could allow users with
          permission to add Folders and edit DTML (and a who have a
          lot of Zope zen) to get access to things that they shouldn't.

horde (2:1.2.0-1.pre11.6) frozen unstable; urgency=low
  * Upstream security update

imp (2:2.2.0-1.pre11.6) frozen unstable; urgency=low
  * Upstream secuirty fixes

apache (1.3.9-13) frozen unstable; urgency=medium
  * [RC, security] Backported security fix for Cross Site Scripting issue
    (CERT Advisory CA-2000-02) from apache 1.3.11 patch.

kon2 (0.3.9b-0slink1) stable; urgency=high
   * [Security FIX] buffer overrun security problem fixed.

xlockmore (4.12-4.1) stable; urgency=high
   * Non-maintainer upload by security team
   * Fix buffer overflow in resource handling

orbit (0.5.0-5) frozen unstable; urgency=medium
  * Postinst for liborbit0 creates default /etc/orbitrc, if none exists.
    Default file disables tcp, for security (closes: Bug#52519).  More

dhelp (0.3.23) unstable frozen; urgency=low
  * dsearch: security fix for glimpse's temp files (#60853)

mh (6.8.4-JP-3.03-32.3) frozen unstable; urgency=low
  * Fix another security hole related to the previous fix.
    (buffer overflow problem in quote escape)

freewnn (1.1.0+1.1.1-a016-1) frozen; urgency=low
  * New upstream release with security-related fixes.
    - fixes for msg_open() bug ([freewnn:00350]).
    - freewnn-size_limit.diff ([freewnn:00361]).
    - freewnn-mkdir.diff ([freewnn:00359]).

roxen (1.2beta2-3.1) stable; urgency=high
   * Security fix - html encoding the output of the tags
     referer, accept-language, clientname, file
     Attacker can include code to be parsed by the server

floppybackup (1.3-2) stable; urgency=high
   * Security Fix - fixed temporary file use

mtr (0.28-1) stable; urgency=high
   * Security fix for theoretical stack-smash-and-fork attack -
     s/seteuid/setuid/ in mtr.c

nmh (0.27-0.28-pre8-4) stable; urgency=high
   * Applied patch to fix security hole which allowed untrusted shell
     code to be executed.

w3m (0.1.8-1) frozen unstable; urgency=medium
  * new upstream version
  - security fix potential buffer overflow exploit

angband (290-1) unstable; urgency=low
  * Update files in /var/lib/games/angband/data/ on install. Also, make
    sure that the scores files are not owned by first player that runs the
    game, this fixes a (minor) security issue.

-- 
see shy jo

Reply to:

Follow-Ups:
- Re: to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)
  - From: Joey Hess <joeyh@debian.org>
- Re: to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)
  - From: Wichert Akkerman <wichert@wiggy.net>

Prev by Date: Re: RFPondering: runlevelconf, dependency-based init.d scheme
Next by Date: Re: Release-critical Bugreport for May 26, 2000
Previous by thread: ITP: libdbd-odbc-perl
Next by thread: Re: to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)
Index(es):
- Date
- Thread