[Secure-testing-team] Re: <package> Buffer Overflow

Mon Mar 13 13:26:07 UTC 2006

On Mon, Mar 13, 2006 at 12:10:24PM +0000, Neil McGovern wrote:
> > > This is just a heads up and of course not publicly disclosed yet. I intend 
> > > to make a X.XX.X release really soon and publish that for when this flaw 
> > > gets announced. 
> [snip]
> > 
> > thank you. i will wait for you to publish X.XX.X.
> > 
> > currently, the affected version in debian are only in unstable and
> > testing. the unstable version will be upgraded as soon as you publish
> > X.XX.X, the testing version is not subject to strict security support.
> > 
> > i CCed the debian testing security group to let them correct me if
> > i'm wrong.
> > 
> 
> Well, the testing version *is* subject to security support, as we do it
> :)

of course :)

> However, we only deal with publically announced security issues. An
> upload to unstable with a high urgency will ensure it gets pushed into
> testing asap, and if it's stalled by anything, we'll release a DTSA.

ok. then, practically, we have nothing to do until 7.15.3 is out.

> As an aside, I've censored this mail, and asked for the original to be
> removed from the archives. This email address is a public list, so isn't
> suitable for undisclosed problems. The correct address for that is
> team at security.debian.org

ah, thank you.

i'm surprised. i didn't find anything about this at
http://secure-testing-master.debian.net/.  reading the debian security
faq, it looks like the debian security team and the testing one are
different entities.

indeed i expected secure-testing-team at lists.alioth.debian.org to be the
private mailing list for testing security as team at security.debian.org
is for stable.

please add a clarifying note in the "Members and contacting the team"
section. anyway, thank you.

cheers
domenico

-----[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50