[Secure-testing-team] Bug#833483: aptitude: doesn't detect obsolete	candidate package (versions)
    Christoph Anton Mitterer 
    calestyo at scientia.net
       
    Tue Aug  2 14:00:27 UTC 2016
    
    
  
Package: aptitude
Version: 0.8.2-1
Severity: important
Tags: security
Hi.
I've just stumbled over the following:
Aptitude doesn't seem to tell people when the candidate and/or installed version
of a package is obsolete.
Example:
- Debian seems to have removed the transcode package already back in March.
- DMO still ships it however.
- I do have the transcode package from Debian installed.
- Via apt_preferences, all but a few packages from the DMO repos are "disabled".
Thus I'd never get any candidate version from DMO, while aptitude still shows
me the package not being obsolete.
In a way, of course, it is not fully obsolete, but it will never get any updates
thus no security updates either.
This is also what I think makes this issue important/security:
One ends up in a situation where the use will neither get updates (cause it's no
longer in Debian), nor will he even notice that this is the case (not being
showed as obsolete).
Cheers,
Chris.
    
    
More information about the Secure-testing-team
mailing list