Package: screen Version: 4.1.0~20120320gitdb59704-4 Severity: normal Tags: security
Hi. In the most recent NEWS.Debian entry, you describe how users can retrieve an old version of the screen package in order to connect to pre 4.1 sesssions. A security problem IMHO is, that a simple download, not even https secured (which also wouldn't be that good), is advised. This makes a "hole" in secure APT; which otherwise only brings secred packages in the system. Now there are several ways to get around this, amongst others: a) Suggest the users instead to add a sources.list entry for oldstable (where a old screen should be avaiable) and a command to downgrade to that. b) Include SHA512 sums for the .deb files of the most recent 4.0.3 version for all architectures. I'd suggest a), as b) has the disadvantages that the sums get out of date, once there should be a security upload of a newer 4.0.3 version to oldstable. Cheers, Chris. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
