Date: Thu, 26 Aug 1999 15:12:31 +0200 From: Martin Schulze <joey@finlandia.Infodrom.North.DE> To: Debian Development <debian-devel@lists.debian.org> Subject: Re: RfD: Preparing Debian 2.1r3 --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hi folks, as you should have noticed, I'm preparing a new subrelease of Slink alias Debian 2.1. It will be called Debian 2.1r3. Only security-related or very important updates will make it into another stable release. The proposed-updates directory contains about 150MB of packages. Not all of them were accepted for the next stable release. I've asked for your comments before, this is the result that is likely to be included in 2.1r3. If you want to comment on it, be quick. If you want to convince me, use good arguments. 0. Changelog ------------ . Move tkdesk to remaining, doesn't compile on alpha+sparc . Move makedev to rejected, no important changes only, many changes though . Move libdb to remaining, why should it go into stable? . Move selfhtml to reject, package broken . Move egcs to remaining . Move libc6 to accept . Move lsof to accepted . Move lprng to accepted . Move dpkg to accepted . Move kernel-source-2.2.5 to remaining . Alphabetically sorted, at least tried that 1. Packages selected for stable ------------------------------- Security fixes: package: cfingerd version: 1.3.2-18.1 architectures: source, alpha, i386, m68k, sparc update type: security backported securityfix package: epic4 version: pre2.003-0slink2 architectures: source, i386, m68k, alpha, sparc update type: security potential DoS in the ANSI parser package: epic4-help version: pre2.003-0slink1 architectures: source, all update type: semi-security documentation for epic fix package: imap version: 4.5-0slink3 architectures: source, alpha, m68k, sparc, i386 update type: security fixed security-fix for remote exploit package: isdnutils version: 1:3.0-12slink13 architectures: source, alpha, i386, sparc update type: security xmonisdn called scripts were insecurely package: lpr version: 1:0.33-3 architectures: m68k update type: security security-fix (switch to different lpr fork with a better codebase) m68k had the wrong version package: mailman version: 1.0rc2-5 architectures: source, alpha, i386, m68k, sparc update type: security fixed version of security-fix (remote exploit iirc) package: man-db version: 2.3.10-69FIX.1 architectures: source, i386, m68k, alpha, sparc update type: security open temporary files safely package: procmail version: 3.13.1-1 architectures: source, alpha, i386, m68k, sparc update type: security various nasty security fixes package: rsync versin: 2.3.1-0.slink.1 architectures: source, i386, m68k update type: security fix security problem with updates in some conditions package: smtp-refuser version: 1.0.1 architectures: source, i386, alpha, m68k, sparc update type: security fix logging which allowed deleting arbitraty files package: termcap-compat version: 1.1.1.1.0slink1 architectures: source, alpha, i386, m68k, sparc update type: security fixes buffer overflow package: man2html version: 1.5-18.1 architectures: source, i386, m68k, alpha, sparc update type: security Fixes /tmp race package: trn version: 3.6-9.3.1 architectures: source, i386, m68k, alpha, sparc update type: security Fixes /tmp race package: lsof version: 4.37-4 architectures: i386, m68k update type: semi-security a fix for a previous security update, binary package for default kernel 2.0.36. Slink has lsof-2.0.35_4.37-3 and lsof-2.0.36_4.37-4 is in proposed updates, should be an addition. package: lprng version: 3.5.2-2 architectures: source, m68k, sparc, i386, alpha update type: security don't allow connections from unprivilidged by default Broken packages fixes: package: apt version: 0.3.11 architectures: source, i386, m68k, alpha, sparc update type: upgrade/install updates fixes a bunch of bugs, probably very useful for people doing upgrades. Check with Jason on how to fix the apt-removes-bash-bug first though package: boot-floppies version: 2.1.9.1 architectures: m68k (others aren't changed) update type: fixed install update various bugs in the m68k install package: dpkg version: 1.4.0.35 Disabled included gettext and used the one from libc. package: exim version: 2.05-2 architectures: source, i386, m68k, alpha, sparc update type: grave bug fix two major bugs in slink version, one of which caused mail lossage packge: jadetex version: 2.2-1 architectures: source, all update type: important bugfix slink version was quite broken.. package: lam version: 6.1-9 architectures: source, i386, m68k, sparc, alpha update type: important bugfix slink version was quite useless.. package: libc6 version: 2.0.7.19981211-6.1 architectures: m68k (only m68k updates) update type: bugfix update m68k support, fixes hwclock amongs other things, use 2.0.36 headers, to bring it into line with the other architectures in slink. package: open version: 1.4-10.1 architectures: source, i386, m68k, alpha, sparc update type: important bugfix undo previous changes which broke open in slink package: remembrance-agent version: 1.41-6 architectures: source, i386, m68k, alpha, sparc update type: copyright move to non-free (needs ftpmaster intervention for the overridefile) package: sendmail version: 8.9.3-3 architectures: source, alpha, i386, m68k, sparc update type: important bugfix allow .forward to work on group-writeable homedirs by default. otherwise no user could use .forward files since homedirs are made groupwriteable 2. Packages removed from proposed-updates ----------------------------------------- These packages are rejected for stable and will also be removed from the proposed-updates directory. package: ascdc version: 0.3-5.1 minor bugfix, doesn't fit update criteria package: auto-pgp version: 1.04-2 minor bugfix, doesn't fit update criteria package: bsdgames-nonfree version: 2.5-2 minor bugfix, doesn't fit update criteria package: dhcpcd version: 1:0.70-5 minor bugfix (tokenring support fixed), doesn't fit update criteria package: dmalloc version: 3.3.1-3 minor bugfix (small manpage update), doesn't fit update criteria package: fidogate version: 4.2.8-4 bugfixes meant for unstable package: frotz version: 2.32r2-12 recompile only to remove the versioned libc dependency, which doesn't hurt us anyway package: ftape version: 4.03pre2.1999.04.25-1 major update over slink, don't think it meets the update criteria package: fvwm2 version: 2.0.46-BETA-3.1 some alpha update, but I'm not convinced we need to include it. We should probably check with some alpha people for this one package: gdb version: 4.17-4.m68k.objc.threads.hwwp.fpu.gnat.3.1 some sparc update, but I'm not convinced we need to include it. We should probably check with some sparc people for this one package: gettyps version: 2.0.7j-7 fixes a normal bug, ie doesn't fit update criteria package: infocom version: 4.01pl2-7 should have only been uploaded to unstable, doesn't fix anything important package: inform version: 6.14-4 should have only been uploaded to unstable, doesn't fix anything package: kdrill version: 4.0-1 new package, should have been uploaded only to unstable package: kernel-image-2.0.36-amiga version: 2.0.36-2 only fixes broken driver, is available in potato as well package: libpcap version: 0.4a6-2.1 update for a non-released architecture only package: linuxlogo version: various minor updates only package: makedev version: 2.3.1-23 architectures: source, all update type: important bugfix fix some stupid and really nasty bugs, especially for sparc package: mingetty version: 0.9.4-3.2 update for a non-released architecture only package: nana version: 2.3-1 new upstream version, no bugfixes package: selfhtml version: 7.0-2 architectures: source, all update type: security Fixes patent problem WARNING: Contains a bug, doesn't run on Slink. Question: How does one make an upload of it for stable that uses a version between 7.0-2 and 7.0-2? package: yorick version: 1.4-12 changelog doesn't say enough to warrant inclusion imho 3. Packages remain in proposed-updates ------------------------------------ package: kernel-source-2.2.5 version: 2.2.5-2 bugfixes, according to netgod: "To replace kernel-source-2.2.1, which has a number of serious issues. And even 2.2.5 dates back to April and has a known DoS exploit now." package: egcs version: 1.1.2-0slink2 architectures: i386, m68k update type nonbeta release final 1.1.2 release, small update from beta version in slink package: tkdesk version: 1.1-2 architectures: source, i386, m68k update type: security fix symlink attack, doesn't compile out of the box on alpha+sparc package: libdb version: 1.85.4-4 architectures: alpha update type: security don't build broken snprintf, which ignores the bounds check, making p= rograms which just *happen* to use libdb vulnerable... Regards, Joey Debian Security Team --=20 The only stupid question is the unasked one. Please always Cc to me when replying to me on the lists. --DocE+STaALJfprDB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBN8U9PRRNm5Suj3z1AQGnqQP+PUxFo4W4T2TTT9MuCTmPHX1KbXIT5gI2 Qy+z8tYqp+mv/uW7SFQC0UVQFJ2l1MCLi+hhaJUqV2R++5sfdIfEMKsPjDXyTdax 3FWmIpLlIgxtiAF+hnUTBinS4RXkt9OrSRrLE3cmvX/P2mNKjKMzRBXsSy5skCCJ M+ieE3PCpGY= =f/dE -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- -- To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org