[LWN Logo]

Date: Thu, 26 Aug 1999 15:12:31 +0200
From: Martin Schulze <joey@finlandia.Infodrom.North.DE>
To: Debian Development <debian-devel@lists.debian.org>
Subject: Re: RfD: Preparing Debian 2.1r3


--DocE+STaALJfprDB
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Hi folks,

as you should have noticed, I'm preparing a new subrelease of Slink
alias Debian 2.1.  It will be called Debian 2.1r3.  Only
security-related or very important updates will make it into another
stable release.  The proposed-updates directory contains about 150MB
of packages.  Not all of them were accepted for the next stable
release.

I've asked for your comments before, this is the result that is likely
to be included in 2.1r3.  If you want to comment on it, be quick.  If
you want to convince me, use good arguments.

0. Changelog
------------

 . Move tkdesk to remaining, doesn't compile on alpha+sparc
 . Move makedev to rejected, no important changes only, many changes though
 . Move libdb to remaining, why should it go into stable?
 . Move selfhtml to reject, package broken
 . Move egcs to remaining
 . Move libc6 to accept
 . Move lsof to accepted
 . Move lprng to accepted
 . Move dpkg to accepted
 . Move kernel-source-2.2.5 to remaining
 . Alphabetically sorted, at least tried that

1. Packages selected for stable
-------------------------------

  Security fixes:

      package: cfingerd
      version: 1.3.2-18.1
      architectures: source, alpha, i386, m68k, sparc
      update type: security
	  backported securityfix

      package: epic4
      version: pre2.003-0slink2
      architectures: source, i386, m68k, alpha, sparc
      update type: security
	  potential DoS in the ANSI parser

      package: epic4-help
      version: pre2.003-0slink1
      architectures: source, all
      update type: semi-security
	  documentation for epic fix

      package: imap
      version: 4.5-0slink3
      architectures: source, alpha, m68k, sparc, i386
      update type: security
	  fixed security-fix for remote exploit

      package: isdnutils
      version: 1:3.0-12slink13
      architectures: source, alpha, i386, sparc
      update type: security
	  xmonisdn called scripts were insecurely

      package: lpr
      version: 1:0.33-3
      architectures: m68k
      update type: security
	  security-fix (switch to different lpr fork with a better codebase)
	  m68k had the wrong version

      package: mailman
      version: 1.0rc2-5
      architectures: source, alpha, i386, m68k, sparc
      update type: security
	  fixed version of security-fix (remote exploit iirc)

      package: man-db
      version: 2.3.10-69FIX.1
      architectures: source, i386, m68k, alpha, sparc
      update type: security
	  open temporary files safely

      package: procmail
      version: 3.13.1-1
      architectures: source, alpha, i386, m68k, sparc
      update type: security
	  various nasty security fixes

      package: rsync
      versin: 2.3.1-0.slink.1
      architectures: source, i386, m68k
      update type: security
	  fix security problem with updates in some conditions

      package: smtp-refuser
      version: 1.0.1
      architectures: source, i386, alpha, m68k, sparc
      update type: security
	  fix logging which allowed deleting arbitraty files

      package: termcap-compat
      version: 1.1.1.1.0slink1
      architectures: source, alpha, i386, m68k, sparc
      update type: security
	  fixes buffer overflow

      package: man2html
      version: 1.5-18.1
      architectures: source, i386, m68k, alpha, sparc
      update type: security
	  Fixes /tmp race

      package: trn
      version: 3.6-9.3.1
      architectures: source, i386, m68k, alpha, sparc
      update type: security
	  Fixes /tmp race

      package: lsof
      version: 4.37-4
      architectures: i386, m68k
      update type: semi-security
	  a fix for a previous security update, binary package for
	  default kernel 2.0.36.  Slink has lsof-2.0.35_4.37-3 and
	  lsof-2.0.36_4.37-4 is in proposed updates, should be an
	  addition.

      package: lprng
      version: 3.5.2-2
      architectures: source, m68k, sparc, i386, alpha
      update type: security
	  don't allow connections from unprivilidged by default


  Broken packages fixes:

      package: apt
      version: 0.3.11
      architectures: source, i386, m68k, alpha, sparc
      update type: upgrade/install updates
	fixes a bunch of bugs, probably very useful for people doing upgrades.
	Check with Jason on how to fix the apt-removes-bash-bug first though

      package: boot-floppies
      version: 2.1.9.1
      architectures: m68k (others aren't changed)
      update type: fixed install
	update various bugs in the m68k install

      package: dpkg
      version: 1.4.0.35
          Disabled included gettext and used the one from libc.

      package: exim
      version: 2.05-2
      architectures: source, i386, m68k, alpha, sparc
      update type: grave bug
	  fix two major bugs in slink version, one of which caused mail lossage

      packge: jadetex
      version: 2.2-1
      architectures: source, all
      update type: important bugfix
	  slink version was quite broken..

      package: lam
      version: 6.1-9
      architectures: source, i386, m68k, sparc, alpha
      update type: important bugfix
	  slink version was quite useless..

      package: libc6
      version: 2.0.7.19981211-6.1
      architectures: m68k (only m68k updates)
      update type: bugfix
          update m68k support, fixes hwclock amongs other things, use
          2.0.36 headers, to bring it into line with the other
          architectures in slink.

      package: open
      version: 1.4-10.1
      architectures: source, i386, m68k, alpha, sparc
      update type: important bugfix
	  undo previous changes which broke open in slink

      package: remembrance-agent
      version: 1.41-6
      architectures: source, i386, m68k, alpha, sparc
      update type: copyright
	  move to non-free (needs ftpmaster intervention for the overridefile)

      package: sendmail
      version: 8.9.3-3
      architectures: source, alpha, i386, m68k, sparc
      update type: important bugfix
	  allow .forward to work on group-writeable homedirs by default. otherwise
	  no user could use .forward files since homedirs are made groupwriteable


2. Packages removed from proposed-updates
-----------------------------------------

  These packages are rejected for stable and will also be removed from
  the proposed-updates directory.


  package: ascdc
  version: 0.3-5.1
    minor bugfix, doesn't fit update criteria

  package: auto-pgp
  version: 1.04-2
    minor bugfix, doesn't fit update criteria

  package: bsdgames-nonfree
  version: 2.5-2
    minor bugfix, doesn't fit update criteria

  package: dhcpcd
  version: 1:0.70-5
    minor bugfix (tokenring support fixed), doesn't fit update criteria

  package: dmalloc
  version: 3.3.1-3
    minor bugfix (small manpage update), doesn't fit update criteria

  package: fidogate
  version: 4.2.8-4
    bugfixes meant for unstable

  package: frotz
  version: 2.32r2-12
    recompile only to remove the versioned libc dependency, which
    doesn't hurt
    us anyway

  package: ftape
  version: 4.03pre2.1999.04.25-1
    major update over slink, don't think it meets the update criteria

  package: fvwm2
  version: 2.0.46-BETA-3.1
    some alpha update, but I'm not convinced we need to include it. We
    should probably check with some alpha people for this one

  package: gdb
  version: 4.17-4.m68k.objc.threads.hwwp.fpu.gnat.3.1
    some sparc update, but I'm not convinced we need to include it. We
    should probably check with some sparc people for this one

  package: gettyps
  version: 2.0.7j-7
    fixes a normal bug, ie doesn't fit update criteria

  package: infocom
  version: 4.01pl2-7
    should have only been uploaded to unstable, doesn't fix anything
    important

  package: inform
  version: 6.14-4
    should have only been uploaded to unstable, doesn't fix anything

  package: kdrill
  version: 4.0-1
    new package, should have been uploaded only to unstable

  package: kernel-image-2.0.36-amiga
  version: 2.0.36-2
    only fixes broken driver, is available in potato as well

  package: libpcap
  version: 0.4a6-2.1
    update for a non-released architecture only

  package: linuxlogo
  version:  various
    minor updates only

  package: makedev
  version: 2.3.1-23
  architectures: source, all
  update type: important bugfix
      fix some stupid and really nasty bugs, especially for sparc

  package: mingetty
  version: 0.9.4-3.2
    update for a non-released architecture only

  package: nana
  version: 2.3-1
    new upstream version, no bugfixes

  package: selfhtml
  version: 7.0-2
  architectures: source, all
  update type: security
      Fixes patent problem
    WARNING: Contains a bug, doesn't run on Slink.
    Question: How does one make an upload of it for stable that uses a
    version between 7.0-2 and 7.0-2?

  package: yorick
  version: 1.4-12
    changelog doesn't say enough to warrant inclusion imho

3. Packages remain in proposed-updates
------------------------------------

  package: kernel-source-2.2.5
  version: 2.2.5-2
    bugfixes, according to netgod: "To replace kernel-source-2.2.1,
    which has a number of serious issues.  And even 2.2.5 dates back
    to April and has a known DoS exploit now."

  package: egcs
  version: 1.1.2-0slink2
  architectures: i386, m68k
  update type nonbeta release
    final 1.1.2 release, small update from beta version in slink

  package: tkdesk
  version: 1.1-2
  architectures: source, i386, m68k
  update type: security
      fix symlink attack, doesn't compile out of the box on alpha+sparc

  package: libdb
  version: 1.85.4-4
  architectures: alpha
  update type: security
      don't build broken snprintf, which ignores the bounds check, making p=
rograms
      which just *happen* to use libdb vulnerable...

Regards,

	Joey
	Debian Security Team

--=20
The only stupid question is the unasked one.

Please always Cc to me when replying to me on the lists.

--DocE+STaALJfprDB
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQCVAwUBN8U9PRRNm5Suj3z1AQGnqQP+PUxFo4W4T2TTT9MuCTmPHX1KbXIT5gI2
Qy+z8tYqp+mv/uW7SFQC0UVQFJ2l1MCLi+hhaJUqV2R++5sfdIfEMKsPjDXyTdax
3FWmIpLlIgxtiAF+hnUTBinS4RXkt9OrSRrLE3cmvX/P2mNKjKMzRBXsSy5skCCJ
M+ieE3PCpGY=
=f/dE
-----END PGP SIGNATURE-----

--DocE+STaALJfprDB--


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org