[Gllug] Advice needed on Ubuntu
John Winters
john at sinodun.org.uk
Wed Feb 15 11:06:08 UTC 2006
On Wed, 2006-02-15 at 11:30 +0100, Dani Pardo wrote:
> John Wrote:
>
> >
> > Generally speaking, Debian does not bring a new version of an upstream
> > package into Stable just because there's been a security bug fix in it.
> > What they do instead is to retro-fit the bug fix to the current version
> > and release that through security.debian.org. You can thus be sure (or
> > at least, more confident) that you're getting just the bug fix and not
> > any other changes.
>
> Mm.. so you mean now I'm running sudo 1.6.8p7 but with Debian patches
> for security issues? So now the only way to assure that I'm not
> vulnerable is to actually try to exploit it?
You should be running 1.6.8p7-1.3. According to the Debian security
announcements, the bug to which you refer was fixed in 1.6.8p7-1.1 on
7th July, 2005. There have since been two more bug-fix versions (1.2 on
25th October, 2005 and 1.3 on 20th January, 2006).
If you don't trust the patch log then yes, you'll need to test it
yourself. Details of how to exploit the bug are included in the
original bug report (or at least, in the bug report with which it was
merged - 315115).
>
> > Now about those 41 packages which are out of date on your system...
>
> Yeah, well... err :)) It's my desktop system wich just now have added
> the security.debian.org in its apt sources. Mostly kde stuff.
apt-get update
apt-get upgrade
is your friend.
HTH
John
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list