[prev in list] [next in list] [prev in thread] [next in thread]
List: gentoo-dev
Subject: [gentoo-dev] Re: [gentoo-security] GLSA: net-ftp/proftpd(200309-16)
From: Ned Ludd <solar () gentoo ! org>
Date: 2003-09-29 16:34:03
[Download RAW message or body]
I would have to 100% disagree with you on this.
GLSA's are to keep the end user informed about security updates. The
pure existence of a security update alone should not dictate that a
package is stable. Standard Q/A must still apply.
x86 was just bumped to stable btw.
On Mon, 2003-09-29 at 11:50, Thomas T. Veldhouse wrote:
> True, but that is not acceptable for me (or many admins I suspect). An
> unstable/testing security fix is itself a security risk, otherwise, it
> should be marked stable (as anything sent out in a GLSA should be IMHO).
>
> Tom Veldhouse
>
> ----- Original Message -----
> From: "Ned Ludd" <solar@gentoo.org>
> To: "Thomas T. Veldhouse" <veldy@veldy.net>
> Cc: "Daniel Ahlberg" <aliz@gentoo.org>; <gentoo-security@gentoo.org>
> Sent: Monday, September 29, 2003 10:39 AM
> Subject: Re: [gentoo-security] Re: [gentoo-announce] GLSA:
> net-ftp/proftpd(200309-16)
>
> net-ftp/proftpd has not been marked stable in the portage tree as of
> yet, you can however merge it if your accepting ~arch keywords.
>
> ACCEPT_KEYWORDS="x86 ~x86" emerge '>=net-ftp/proftpd-1.2.9_rc2'
> When we get a few end user reports of it working we will mark it as
> stable.
>
> On Mon, 2003-09-29 at 10:47, Thomas T. Veldhouse wrote:
> > This is not adequate for a Gentoo stable system!
> >
> > # emerge '>=net-ftp/proftpd-1.2.9_rc2'
> > Calculating dependencies
> > !!! all ebuilds that could satisfy ">=net-ftp/proftpd-1.2.9_rc2" have been
> > masked.
> >
> > !!! Error calculating dependencies. Please correct.
> >
> > Tom Veldhouse
> >
> > ----- Original Message -----
> > From: "Daniel Ahlberg" <aliz@gentoo.org>
> > To: <gentoo-announce@gentoo.org>; <bugtraq@securityfocus.com>;
> > <full-disclosure@lists.netsys.com>
> > Sent: Monday, September 29, 2003 9:23 AM
> > Subject: [gentoo-announce] GLSA: net-ftp/proftpd (200309-16)
> >
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> >
> > - ------------------------------------------------------------------------
> > > GENTOO LINUX SECURITY ANNOUNCEMENT 200309-16
> >
> > - ------------------------------------------------------------------------
> > > PACKAGE : net-ftp/proftpd
> > > SUMMARY : ASCII File Remote Compromise Vulnerability
> > > DATE : 2003-09-28 00:37 UTC
> > > EXPLOIT : remote
> > > VERSIONS AFFECTED : <proftpd-1.2.9_rc2
> > > FIXED VERSION : =proftpd-1.2.9_rc2
> > > GENTOO BUG ID : 29452
> > > CVE : none that we are aware of at this time
> >
> > - ------------------------------------------------------------------------
> > >
> > > SUMMARY:
> > >
> > > ISS X-Force discovered a vulnerability that could be triggered when a
> > > specially crafted file is uploaded to a proftpd server.
> > >
> > > Read the full advisory at:
> > > http://www.proftpd.org/
> > >
> > > SOLUTION:
> > >
> > > It is recommended that all Gentoo Linux users who are running
> > > net-ftp/proftpd upgrade to proftpd-1.29_rc2 as follows
> > >
> > > emerge sync
> > > emerge '>=net-ftp/proftpd-1.2.9_rc2'
> > > emerge clean
> > >
> >
> > - - - --------------------------------------------------------------------
> > -
> > > solar@gentoo.org
> > > aliz@gentoo.org - GnuPG key is available at http://dev.gentoo.org/~aliz
> >
> > - - - --------------------------------------------------------------------
> > -
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.3 (GNU/Linux)
> > >
> > > iD8DBQE/eEBbfT7nyhUpoZMRArDnAKCFlLbPmeC/S05/0EG1pqJc9BbClACgjPY6
> > > OintOPB6pXf211OQxsUC7Tg=
> > > =+hmK
> > > -----END PGP SIGNATURE-----
> > >
> >
--
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic