Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?
* Goswin von Brederlow <firstname.lastname@example.org> [2008-12-14 20:14]:
> I run reprepro to create a local mirror for lenny, lenny-security and
> sid. Since I have it setup to put all 3 into a common pool I noticed
> the following:
> As you can see Lenny-Security has a different orig.tar.gz than
> Lenny/Sid. This creates a problem for my reprepro as it detects a
> size/md5sum mismatch, aborts and sends me an angry mail. But more
> importantly this prevents the security update from entering Lenny:
> Rejected: md5sum and/or size mismatch on existing copy of uw-imap_2007b~dfsg.orig.tar.gz.
> Rejected: can not overwrite existing copy of 'uw-imap_2007b~dfsg.orig.tar.gz' already in the archive.
This update was unfortunately a bit problematic, to make the
story short uw-imap was uploaded as 7:2007b~dfsg-4 but we
then requested to upload this as -3+lenny1 to mark it as a
security update and to prevent broken updates in case
7:2007d~dfsg-1 gets rejected from NEW (in -3+lenny1 is also
the upstream tarball change).
Unfortunately -3+lenny1 was rejected on klecker because the
orig.tar.gz of the old build was still lying around in the
queue. As we can not use the same version twice on klecker
-4+lenny1 was uploaded as a rebuild of -3+lenny1 and the
upstream tarball change was overlooked in that chaos.
> As it is the vulnerable version of uw-imap will remain in Lenny and
> Lenny will have a known security bug that is totaly avoidable. From
> the timestamp above you can see that this problem has been around over
> a month.
> Does anyone care?
I see two possibilities here, one option is to get
8:2007b~dfsg-1 unblocked and let this migrate to lenny
(there is some weird SONAME change though) or to reupload a
+lenny2 version to testing-security again.
Nico Golde - http://www.ngolde.de - email@example.com - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.