darren <dar...@darrenalbers.net> posted f908cff13b43b0b0d7bdf1273c894...@localhost, excerpted below, on Wed, 24 Dec 2008 18:50:19 -0800:
> I am not sure why Hardy has not been updated to have the fix but I will > make a note on my calendar to poke around next week and see why it > didn't but the version in Intrepid /DOES/ have this fix. It was > synched from Debian back in July and the fix for this went into Debian > in June: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483562 > > Here is the Changelog from the version in Intrepid: > http://changelogs.ubuntu.com/changelogs/pool/main/p/pan/ pan_0.132-3.1ubuntu1/changelog > > You will see that the fix hit about 14 days after it hit Debian. So they did the patch-bump rather than grab the new version. OK, that works. But I think I see why they didn't bump hardy. If you check the log, the Debian security fix was "urgency=high", while (if I'm reading correctly) the Ubuntu merge including it was "urgency=low". Obvously, whoever merged it either didn't read the changelog for what he was merging and thus didn't see the "urgency=high" security fix, or he did, and flat disagreed with the urgency evaluation. Either way, urgency=low would mean there's little reason to backport and test for hardy. But I asked and I thought someone posted confirmation that 8.10 (intrepid, I guess, as a non-Ubuntu user I have trouble keeping name- version linking straight) was indeed still vulnerable? I guess the confirmation was that it was still 0.132 and I assumed it was still vulnerable because I thought surely if they were running the same base version and had security-patched one, they'd security-patch the other, and they hadn't patched 8.4 so I assumed that meant that since 8.10 was running 0.132 as well, they hadn't security patched it either. Anyway, it's good to know that at least those who keep up with the latest Ubuntu version aren't vulnerable any more, even if the previous version, a supposed long-term support version (IIRC), is still vulnerable now ~seven months after the initial report, ~six months after they merged the patch for their next short-term support version and several other distributions merged their corresponding patches, and ~four months after those same distributions posted their corresponding security alert warnings. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman _______________________________________________ Pan-users mailing list Pan-users@nongnu.org http://lists.nongnu.org/mailman/listinfo/pan-users
