package: awstats
severity: grave
tags: security
Version 6.4-1.1 which fixed CAN-2005-152 on Sept 4, 2005 is still not
available in the stable branch as of October 28, 2005.
Running 'apt-get update && apt-get upgrade' on Debian 3.1 does not yet
fix CAN-2005-152 which was fixed roughly 2 months ago.
The changelog for stable does not even mention CAN-2005-152:
http://packages.debian.org/changelogs/pool/main/a/awstats/awstats_6.4-1/changelog
There is no mention about any package versions being held back for any
reason at:
http://packages.qa.debian.org/a/awstats.html
Is it normal for a fixed vulnerability to remain in the stable branch
for 2 months? Is there something other than 'apt-get update && apt-get
upgrade' that sysadmins' must perform on Debian in order to get security
updates? Please advise. Thanks.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
