Debian Bug report logs - #173824
cups: remote root bug

Package: cupsys; Maintainer for cupsys is (unknown);

Reported by: Erno Kuusela <erno-debbugs@erno.iki.fi>

Date: Sat, 21 Dec 2002 01:06:29 UTC

Severity: critical

Tags: security, woody

Done: Jeff Licquia <licquia@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org, cups@packages.qa.debian.org:
Bug#173824; Package cups. Full text and rfc822 format available.

Acknowledgement sent to Erno Kuusela <erno-debbugs@erno.iki.fi>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org, cups@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Erno Kuusela <erno-debbugs@erno.iki.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cups: remote root bug
Date: Sat, 21 Dec 2002 03:05:28 +0200
Package: cups
Version: N/A; reported 2002-12-21
Severity: critical
Tags: security
Justification: root security hole

http://www.idefense.com/advisory/12.19.02.txt

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux fabulous 2.4.19-rc2 #2 Sun Jul 21 23:57:23 EEST 2002 i686
Locale: LANG=C, LC_CTYPE=fi_FI




Bug reassigned from package `cups' to `cupsys'. Request was from Erno Kuusela <erno@iki.fi> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Jeff Licquia <licquia@debian.org>:
Extra info received and forwarded to list. Copy sent to cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #12 received at 173824@bugs.debian.org (full text, mbox):

From: Jeff Licquia <licquia@debian.org>
To: control@bugs.debian.org
Cc: 173824@bugs.debian.org
Subject: Status of security issue
Date: 26 Dec 2002 12:35:48 -0500
tags 173824 + woody
tags 173824 + testing
thanks

The security issues in this advisory should be cleared up for unstable
with 1.1.18-1.  I am working with Matt Zimmerman (mdz@debian.org) on the
issues in stable, and testing really should get 1.1.18-1 ASAP.

-- 
Jeff Licquia <licquia@debian.org>



Tags added: woody Request was from Jeff Licquia <licquia@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: Request was from Jeff Licquia <licquia@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Alexander Hvostov <alex@aoi.dyndns.org>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #21 received at 173824@bugs.debian.org (full text, mbox):

From: Alexander Hvostov <alex@aoi.dyndns.org>
To: 173824@bugs.debian.org
Subject: Not good.
Date: 02 Jan 2003 05:15:02 -0800
[Message part 1 (text/plain, inline)]
This bug has been open for 12 days now, and while a fix has been
uploaded to stable and unstable, I have yet to see a fix for testing,
and I have yet to see a Debian Security Advisory.

This is not good. It's only out of sheer luck that I am using unstable
and upgraded recently, so my system is not still vulnerable, and it's
only out of sheer luck that I ever noticed this hole existed, because I
happened upon the bug page for CUPS.

Remote root exploits in widely-used software are not to be trifled with.
Others may suffer severe consequences because a 12-day-old remote root
hole went unannounced (and, in the case of testing, uncorrected).

What is the delay?

Alex.

-- 
PGP Public Key: http://aoi.dyndns.org/~alex/pgp-public-key

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d- s:++ a18 C++(++++)>$ UL+++(++++) P--- L+++>++++ E---- W+(+++) N-
o-- K+ w--- !O M(+) V-- PS+++ PE-- Y+ PGP+(+++) t* 5-- X-- R tv b- DI
D+++ G e h! !r y
------END GEEK CODE BLOCK------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Jeff Licquia <licquia@debian.org>:
Extra info received and forwarded to list. Copy sent to cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #26 received at 173824@bugs.debian.org (full text, mbox):

From: Jeff Licquia <licquia@debian.org>
To: Alexander Hvostov <alex@aoi.dyndns.org>, 173824@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#173824: Not good.
Date: 02 Jan 2003 12:30:50 -0500
On Thu, 2003-01-02 at 08:15, Alexander Hvostov wrote:
> This bug has been open for 12 days now, and while a fix has been
> uploaded to stable and unstable, I have yet to see a fix for testing,
> and I have yet to see a Debian Security Advisory.
> 
> This is not good. It's only out of sheer luck that I am using unstable
> and upgraded recently, so my system is not still vulnerable, and it's
> only out of sheer luck that I ever noticed this hole existed, because I
> happened upon the bug page for CUPS.
> 
> Remote root exploits in widely-used software are not to be trifled with.
> Others may suffer severe consequences because a 12-day-old remote root
> hole went unannounced (and, in the case of testing, uncorrected).
> 
> What is the delay?

The security team may be able to answer your question better on some
things.  I can tell you what has been going on for me.

First of all, as you know, unstable was updated right away with the
latest from ESP.  I will assume you're also aware of Debian's policy
regarding stable updates.  Because of this, the fixes had to be
backported from 1.1.18 to 1.1.14.

Those backports were made available to the security team at the same
time as the upload to unstable.  Unfortunately, the backport was
incomplete, as I was able to determine from exploit code sent to me
several days after the original advisory.  Since that time, I have been
working with a security team member to try and get those fixes
finished.  The last one was done just last night.

I will not speculate on the security team's policy on partial fixes;
they can tell you something more if they will.  But a complete fix has
not been available to them for stable until just recently.  There is
work to do regarding writing an advisory, building the fix for all
platforms, and so on.

As for testing, I have not paid any attention to it to date, choosing
instead to focus on stable.  Now that all of the issues with stable are
out of the way, I can perhaps make an upload to
testing-proposed-updates.  I had hoped that testing would pick up on the
update, but forgot about the current problems with glibc.

-- 
Jeff Licquia <licquia@debian.org>



Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #31 received at 173824@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Jeff Licquia <licquia@debian.org>
Cc: Alexander Hvostov <alex@aoi.dyndns.org>, 173824@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#173824: Not good.
Date: Thu, 2 Jan 2003 18:21:58 -0500
On Thu, Jan 02, 2003 at 12:30:50PM -0500, Jeff Licquia wrote:

> On Thu, 2003-01-02 at 08:15, Alexander Hvostov wrote:
> > This bug has been open for 12 days now, and while a fix has been
> > uploaded to stable and unstable, I have yet to see a fix for testing,
> > and I have yet to see a Debian Security Advisory.
> > 
> > This is not good. It's only out of sheer luck that I am using unstable
> > and upgraded recently, so my system is not still vulnerable, and it's
> > only out of sheer luck that I ever noticed this hole existed, because I
> > happened upon the bug page for CUPS.
> > 
> > Remote root exploits in widely-used software are not to be trifled with.
> > Others may suffer severe consequences because a 12-day-old remote root
> > hole went unannounced (and, in the case of testing, uncorrected).
> > 
> > What is the delay?

Debian Security Advisories are not issued for unstable.  Debian Security
Advisories are not issued for testing.

http://www.debian.org/security/faq#testing

(and the rest of the FAQ as well)

testing, in particular, does not (and often cannot) receive timely security
updates.  This is by design, as software does not enter testing without
proper...testing.

I do not know where you saw a fix for stable, because there has not been an
advisory yet.  An advisory is in progress.

> As for testing, I have not paid any attention to it to date, choosing
> instead to focus on stable.  Now that all of the issues with stable are
> out of the way, I can perhaps make an upload to
> testing-proposed-updates.  I had hoped that testing would pick up on the
> update, but forgot about the current problems with glibc.

As far as I know, there is no such thing as testing-proposed-updates, and
being able to upload directly to testing would defeat its purpose.  The fix
will eventually propagate from unstable to testing.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Alexander Hvostov <alex@aoi.dyndns.org>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #36 received at 173824@bugs.debian.org (full text, mbox):

From: Alexander Hvostov <alex@aoi.dyndns.org>
To: Matt Zimmerman <mdz@debian.org>
Cc: Jeff Licquia <licquia@debian.org>, 173824@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#173824: Not good.
Date: 03 Jan 2003 00:39:40 -0800
[Message part 1 (text/plain, inline)]
On Thu, 2003-01-02 at 15:21, Matt Zimmerman wrote:
> On Thu, Jan 02, 2003 at 12:30:50PM -0500, Jeff Licquia wrote:
> 
> > On Thu, 2003-01-02 at 08:15, Alexander Hvostov wrote:
> > > This bug has been open for 12 days now, and while a fix has been
> > > uploaded to stable and unstable, I have yet to see a fix for testing,
> > > and I have yet to see a Debian Security Advisory.
> > > 
> > > This is not good. It's only out of sheer luck that I am using unstable
> > > and upgraded recently, so my system is not still vulnerable, and it's
> > > only out of sheer luck that I ever noticed this hole existed, because I
> > > happened upon the bug page for CUPS.
> > > 
> > > Remote root exploits in widely-used software are not to be trifled with.
> > > Others may suffer severe consequences because a 12-day-old remote root
> > > hole went unannounced (and, in the case of testing, uncorrected).
> > > 
> > > What is the delay?
> 
> Debian Security Advisories are not issued for unstable.  Debian Security
> Advisories are not issued for testing.
> 
> http://www.debian.org/security/faq#testing

I've read this policy. It leaves a lot of users out in the cold. If
that's how things are done, everyone using Debian versions other than
stable might just as well switch to Microsoft Windows right now; it
isn't any less secure.

> testing, in particular, does not (and often cannot) receive timely security
> updates.  This is by design, as software does not enter testing without
> proper...testing.

Even when a new package version has urgency=high?

> I do not know where you saw a fix for stable, because there has not been an
> advisory yet.  An advisory is in progress.

I was under that impression from BTS logs. Perhaps I was under the wrong
impression. It doesn't really matter, since I am not concerned with the
security of stable, which is basically as good as it can be.

> > As for testing, I have not paid any attention to it to date, choosing
> > instead to focus on stable.  Now that all of the issues with stable are
> > out of the way, I can perhaps make an upload to
> > testing-proposed-updates.  I had hoped that testing would pick up on the
> > update, but forgot about the current problems with glibc.
> 
> As far as I know, there is no such thing as testing-proposed-updates, and
> being able to upload directly to testing would defeat its purpose.  The fix
> will eventually propagate from unstable to testing.

Then testing is self-defeating. It's supposed to be relatively safe, for
people who don't want to (or can't) deal with all of the instability of
unstable. It isn't even remotely safe if it's full of remote root holes!

Alex.

-- 
PGP Public Key: http://aoi.dyndns.org/~alex/pgp-public-key

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d- s:++ a18 C++(++++)>$ UL+++(++++) P--- L+++>++++ E---- W+(+++) N-
o-- K+ w--- !O M(+) V-- PS+++ PE-- Y+ PGP+(+++) t* 5-- X-- R tv b- DI
D+++ G e h! !r y
------END GEEK CODE BLOCK------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Alexander Hvostov <alex@aoi.dyndns.org>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #41 received at 173824@bugs.debian.org (full text, mbox):

From: Alexander Hvostov <alex@aoi.dyndns.org>
To: Jeff Licquia <licquia@debian.org>
Cc: 173824@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#173824: Not good.
Date: 03 Jan 2003 00:51:40 -0800
[Message part 1 (text/plain, inline)]
On Thu, 2003-01-02 at 09:30, Jeff Licquia wrote:
> On Thu, 2003-01-02 at 08:15, Alexander Hvostov wrote:
> > This bug has been open for 12 days now, and while a fix has been
> > uploaded to stable and unstable, I have yet to see a fix for testing,
> > and I have yet to see a Debian Security Advisory.
> > 
> > This is not good. It's only out of sheer luck that I am using unstable
> > and upgraded recently, so my system is not still vulnerable, and it's
> > only out of sheer luck that I ever noticed this hole existed, because I
> > happened upon the bug page for CUPS.
> > 
> > Remote root exploits in widely-used software are not to be trifled with.
> > Others may suffer severe consequences because a 12-day-old remote root
> > hole went unannounced (and, in the case of testing, uncorrected).
> > 
> > What is the delay?
> 
> The security team may be able to answer your question better on some
> things.  I can tell you what has been going on for me.
> 
> First of all, as you know, unstable was updated right away with the
> latest from ESP.  I will assume you're also aware of Debian's policy
> regarding stable updates.  Because of this, the fixes had to be
> backported from 1.1.18 to 1.1.14.

Then perhaps there needs to be another list, a la
debian-security-announce, that's just for testing/unstable users,
letting them know of security updates even though they haven't been
backported yet.

> Those backports were made available to the security team at the same
> time as the upload to unstable.  Unfortunately, the backport was
> incomplete, as I was able to determine from exploit code sent to me
> several days after the original advisory.  Since that time, I have been
> working with a security team member to try and get those fixes
> finished.  The last one was done just last night.

What's important is that what was done was all that could be done. That
is good.

> I will not speculate on the security team's policy on partial fixes;
> they can tell you something more if they will.  But a complete fix has
> not been available to them for stable until just recently.  There is
> work to do regarding writing an advisory, building the fix for all
> platforms, and so on.

With regards to building the fix for all platforms, releasing it for as
many architectures as you have available, as soon as possible, is a lot
better than nothing. Everyone else will, at best, compile it for their
system, or, at worst, stop using the package until a fix is made
available for their system. For that matter, just telling everyone there
is a security hole before releasing _any_ updates is better than
nothing.

> As for testing, I have not paid any attention to it to date, choosing
> instead to focus on stable.  Now that all of the issues with stable are
> out of the way, I can perhaps make an upload to
> testing-proposed-updates.  I had hoped that testing would pick up on the
> update, but forgot about the current problems with glibc.

Then there should be special versions of packages built against testing
and released, as is done for stable, if the package cannot be inserted
into testing immediately.

Alex.

-- 
PGP Public Key: http://aoi.dyndns.org/~alex/pgp-public-key

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d- s:++ a18 C++(++++)>$ UL+++(++++) P--- L+++>++++ E---- W+(+++) N-
o-- K+ w--- !O M(+) V-- PS+++ PE-- Y+ PGP+(+++) t* 5-- X-- R tv b- DI
D+++ G e h! !r y
------END GEEK CODE BLOCK------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #46 received at 173824@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Alexander Hvostov <alex@aoi.dyndns.org>
Cc: Jeff Licquia <licquia@debian.org>, 173824@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#173824: Not good.
Date: Fri, 3 Jan 2003 10:34:24 +0100
Alexander Hvostov wrote:
> > testing, in particular, does not (and often cannot) receive timely security
> > updates.  This is by design, as software does not enter testing without
> > proper...testing.
> 
> Even when a new package version has urgency=high?

Please take into account that testing is frozen at the moment due to
glibc and other updates that would prevent packages from being installed
in testing anyway.  This was mentioned on debian-devel and in DWN a couple
of times.  Don't mix up "frozen" from above with the freeze before a
release.  A release is not that due.

Regards,

	Joey

-- 
Reading is a lost art nowadays.  -- Michael Weber



Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Alexander Hvostov <alex@aoi.dyndns.org>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #51 received at 173824@bugs.debian.org (full text, mbox):

From: Alexander Hvostov <alex@aoi.dyndns.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Jeff Licquia <licquia@debian.org>, 173824@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#173824: Not good.
Date: 03 Jan 2003 01:43:43 -0800
[Message part 1 (text/plain, inline)]
On Fri, 2003-01-03 at 01:34, Martin Schulze wrote:
> Alexander Hvostov wrote:
> > > testing, in particular, does not (and often cannot) receive timely security
> > > updates.  This is by design, as software does not enter testing without
> > > proper...testing.
> > 
> > Even when a new package version has urgency=high?
> 
> Please take into account that testing is frozen at the moment due to
> glibc and other updates that would prevent packages from being installed
> in testing anyway.  This was mentioned on debian-devel and in DWN a couple
> of times.  Don't mix up "frozen" from above with the freeze before a
> release.  A release is not that due.

As I've already mentioned in another email, there should be special
versions of packages built against testing and released, as is done for
stable, if the package cannot be inserted into testing immediately (as
is presently the case due to the glibc issues you mention).

> Regards,
> 
> 	Joey

Your From, address, and signature conflict. Is your name Joey or Martin?

Alex.

-- 
PGP Public Key: http://aoi.dyndns.org/~alex/pgp-public-key

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d- s:++ a18 C++(++++)>$ UL+++(++++) P--- L+++>++++ E---- W+(+++) N-
o-- K+ w--- !O M(+) V-- PS+++ PE-- Y+ PGP+(+++) t* 5-- X-- R tv b- DI
D+++ G e h! !r y
------END GEEK CODE BLOCK------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #56 received at 173824@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Alexander Hvostov <alex@aoi.dyndns.org>
Cc: Jeff Licquia <licquia@debian.org>, 173824@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#173824: Not good.
Date: Fri, 3 Jan 2003 10:53:42 +0100
Alexander Hvostov wrote:
> 
> On Fri, 2003-01-03 at 01:34, Martin Schulze wrote:
> > Alexander Hvostov wrote:
> > > > testing, in particular, does not (and often cannot) receive timely security
> > > > updates.  This is by design, as software does not enter testing without
> > > > proper...testing.
> > > 
> > > Even when a new package version has urgency=high?
> > 
> > Please take into account that testing is frozen at the moment due to
> > glibc and other updates that would prevent packages from being installed
> > in testing anyway.  This was mentioned on debian-devel and in DWN a couple
> > of times.  Don't mix up "frozen" from above with the freeze before a
> > release.  A release is not that due.
> 
> As I've already mentioned in another email, there should be special
> versions of packages built against testing and released, as is done for
> stable, if the package cannot be inserted into testing immediately (as
> is presently the case due to the glibc issues you mention).

You need support for 11+ architectures as well, and you need to ensure
that you don't build with the unstable libc or chances are good that
packages won't work, which would be even worse.  In general, testing
is not supported security-wise - however, the current situation with
packages unable to enter testing is an exception.  I'd expect the
situation to relax soon.  The new libc is missing on only one architecture.
After it builds on that architecture, the situation should improve
each day.

> Your From, address, and signature conflict. Is your name Joey or Martin?

Same for you: "Alex" != "Alexander".
Still, I guess, both is your name.

Regards,

	Joey

-- 
Reading is a lost art nowadays.  -- Michael Weber

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Alexander Hvostov <alex@aoi.dyndns.org>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #61 received at 173824@bugs.debian.org (full text, mbox):

From: Alexander Hvostov <alex@aoi.dyndns.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Jeff Licquia <licquia@debian.org>, 173824@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#173824: Not good.
Date: 03 Jan 2003 02:01:48 -0800
[Message part 1 (text/plain, inline)]
On Fri, 2003-01-03 at 01:53, Martin Schulze wrote:
> Alexander Hvostov wrote:
> > As I've already mentioned in another email, there should be special
> > versions of packages built against testing and released, as is done for
> > stable, if the package cannot be inserted into testing immediately (as
> > is presently the case due to the glibc issues you mention).
> 
> You need support for 11+ architectures as well, and you need to ensure
> that you don't build with the unstable libc or chances are good that
> packages won't work, which would be even worse.  In general, testing
> is not supported security-wise - however, the current situation with
> packages unable to enter testing is an exception.  I'd expect the
> situation to relax soon.  The new libc is missing on only one architecture.
> After it builds on that architecture, the situation should improve
> each day.

As I also mentioned in another email, releasing a new version for only
some architectures is better than nothing. As for building with unstable
libc and the like, like I said, special versions for testing, as is done
for stable. That means building against testing libc, and so forth.

> > Your From, address, and signature conflict. Is your name Joey or Martin?
> 
> Same for you: "Alex" != "Alexander".
> Still, I guess, both is your name.

"Alex" is an abbreviated form of "Alexander". I've never heard of "Joey"
being an abbreviated form of "Martin". That's why I asked. This is
entirely out of curiosity, mind you.

Alex.

-- 
PGP Public Key: http://aoi.dyndns.org/~alex/pgp-public-key

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d- s:++ a18 C++(++++)>$ UL+++(++++) P--- L+++>++++ E---- W+(+++) N-
o-- K+ w--- !O M(+) V-- PS+++ PE-- Y+ PGP+(+++) t* 5-- X-- R tv b- DI
D+++ G e h! !r y
------END GEEK CODE BLOCK------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #66 received at 173824@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Alexander Hvostov <alex@aoi.dyndns.org>
Cc: Jeff Licquia <licquia@debian.org>, 173824@bugs.debian.org
Subject: Re: Bug#173824: Not good.
Date: Fri, 3 Jan 2003 09:31:49 -0500
On Fri, Jan 03, 2003 at 12:39:40AM -0800, Alexander Hvostov wrote:

> On Thu, 2003-01-02 at 15:21, Matt Zimmerman wrote:
> > Debian Security Advisories are not issued for unstable.  Debian Security
> > Advisories are not issued for testing.
> > 
> > http://www.debian.org/security/faq#testing
> 
> I've read this policy. It leaves a lot of users out in the cold. If
> that's how things are done, everyone using Debian versions other than
> stable might just as well switch to Microsoft Windows right now; it
> isn't any less secure.

Nobody is forcing you to use Debian, and you are encouraged to volunteer to
help improve it if you find fault with it.  Complaints of being "out in the
cold" or threatening to switch to another operating system do not tend to
motivate existing volunteers.

> > testing, in particular, does not (and often cannot) receive timely
> > security updates.  This is by design, as software does not enter testing
> > without proper...testing.
> 
> Even when a new package version has urgency=high?

A package cannot enter testing until all of its dependencies can be
satisfied in testing, because testing cannot have broken dependencies, and
interdependent packages should be tested as a unit.  This applies regardless
of the upload's urgency (which only affects the timeout period).

> > As far as I know, there is no such thing as testing-proposed-updates,
> > and being able to upload directly to testing would defeat its purpose.
> > The fix will eventually propagate from unstable to testing.
> 
> Then testing is self-defeating. It's supposed to be relatively safe, for
> people who don't want to (or can't) deal with all of the instability of
> unstable. It isn't even remotely safe if it's full of remote root holes!

It's not self-defeating simply because it doesn't work the way you thought
it did; you misunderstand its purpose.  It is a tool for preparing Debian
releases, not a value-added service for users (though it does provide some
useful status information).  If you choose to run it on your important
systems, then you must keep track of security problems and ensure that
updates are installed promptly, because no one will do the work for you.
Expect to install packages from unstable if you require a fix.

If you want to continue this discussion, please take it away from team@ and
the BTS, to debian-devel or such.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Michael Stone <mstone@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #71 received at 173824@bugs.debian.org (full text, mbox):

From: Michael Stone <mstone@debian.org>
To: Alexander Hvostov <alex@aoi.dyndns.org>
Cc: 173824@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#173824: Not good.
Date: Mon, 6 Jan 2003 21:53:45 -0500
[Message part 1 (text/plain, inline)]
On Fri, Jan 03, 2003 at 12:39:40AM -0800, Alexander Hvostov wrote:
>Then testing is self-defeating. It's supposed to be relatively safe, for
>people who don't want to (or can't) deal with all of the instability of
>unstable. 

Where did you get that idea? Can you point to the erroneous
documentation so it can be fixed?

Mike Stone
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Stephen Quinney <stephen.quinney@computing-services.oxford.ac.uk>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #76 received at 173824@bugs.debian.org (full text, mbox):

From: Stephen Quinney <stephen.quinney@computing-services.oxford.ac.uk>
To: 173824@bugs.debian.org
Subject: Status of security fixes?
Date: Fri, 10 Jan 2003 10:45:28 +0000
Hi there,

I was wondering if you could let me know when the security fixes for
the stable version of cupsys are likely to be available? It has been
nearly 3 weeks since the release of the details. We have had to turn
off our cups system to ensure our system is not vulnerable, we really
need to be able to get this system back online. I understand that cups
is a very complicated system so we're trying to exercise patience but
an idea of when it will be fixed would be very welcome.

Thanks,
	Stephen Quinney

Unix Systems Programmer
Oxford University




Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org:
Bug#173824; Package cupsys. Full text and rfc822 format available.

Acknowledgement sent to Alexander Hvostov <alex@aoi.dyndns.org>:
Extra info received and forwarded to list. Copy sent to Jeff Licquia <licquia@debian.org>, cupsys@packages.qa.debian.org. Full text and rfc822 format available.

Message #81 received at 173824@bugs.debian.org (full text, mbox):

From: Alexander Hvostov <alex@aoi.dyndns.org>
To: Michael Stone <mstone@debian.org>
Cc: 173824@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#173824: Not good.
Date: 12 Jan 2003 10:12:48 -0800
[Message part 1 (text/plain, inline)]
On Mon, 2003-01-06 at 18:53, Michael Stone wrote:
> On Fri, Jan 03, 2003 at 12:39:40AM -0800, Alexander Hvostov wrote:
> >Then testing is self-defeating. It's supposed to be relatively safe, for
> >people who don't want to (or can't) deal with all of the instability of
> >unstable. 
> 
> Where did you get that idea? Can you point to the erroneous
> documentation so it can be fixed?

This was an impression I drew from traffic on debian-devel when testing
was first introduced.

Alex.

-- 
PGP Public Key: http://aoi.dyndns.org/~alex/pgp-public-key

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d- s:++ a18 C++(++++)>$ UL+++(++++) P--- L+++>++++ E---- W+(+++) N-
o-- K+ w--- !O M(+) V-- PS+++ PE-- Y+ PGP+(+++) t* 5-- X-- R tv b- DI
D+++ G e h! !r y
------END GEEK CODE BLOCK------
[signature.asc (application/pgp-signature, inline)]

Reply sent to Jeff Licquia <licquia@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Erno Kuusela <erno-debbugs@erno.iki.fi>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #86 received at 173824-done@bugs.debian.org (full text, mbox):

From: Jeff Licquia <licquia@debian.org>
To: 173824-done@bugs.debian.org, 177598-done@bugs.debian.org
Subject: [Fwd: [SECURITY] [DSA 232-1] New CUPS packages fix several vulnerabilities]
Date: 20 Jan 2003 15:21:45 -0500
[Message part 1 (text/plain, inline)]
This should take care of these issues.

-- 
Jeff Licquia <licquia@debian.org>
[Message part 2 (message/rfc822, inline)]
From: joey@infodrom.org (Martin Schulze)
To: debian-security-announce@lists.debian.org (Debian Security Announcements)
Subject: [SECURITY] [DSA 232-1] New CUPS packages fix several vulnerabilities
Date: Mon, 20 Jan 2003 16:48:35 +0100 (CET)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 232-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
January 20th, 2003                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : cupsys
Vulnerability  : several
Problem-type   : remote
Debian-specific: no
CVE Id         : CAN-2002-1366 CAN-2002-1367 CAN-2002-1368 CAN-2002-1369 CAN-2002-1371 CAN-2002-1372 CAN-2002-1383 CAN-2002-1384

Multiple vulnerabilities were discovered in the Common Unix Printing
System (CUPS).  Several of these issues represent the potential for a
remote compromise or denial of service.  The Common Vulnerabilities
and Exposures project identifies the following problems:

 . CAN-2002-1383: Multiple integer overflows allow a remote attacker
   to execute arbitrary code via the CUPSd HTTP interface and the
   image handling code in CUPS filters.

 . CAN-2002-1366: Race conditions in connection with /etc/cups/certs/
   allow local users with lp privileges to create or overwrite
   arbitrary files.  This is not present in the potato version.

 . CAN-2002-1367: This vulnerabilities allows a remote attacker to add
   printers without authentication via a certain UDP packet, which can
   then be used to perform unauthorized activities such as stealing
   the local root certificate for the administration server via a
   "need authorization" page.

 . CAN-2002-1368: Negative lengths fed into memcpy() can cause a
   denial of service and possibly execute arbitrary code.

 . CAN-2002-1369: An unsafe strncat() function call processing the
   options string allows a remote attacker to execute arbitrary code
   via a buffer overflow.

 . CAN-2002-1371: Zero width images allows a remote attacker to
   execute arbitrary code via modified chunk headers.

 . CAN-2002-1372: CUPS does not properly check the return values of
   various file and socket operations, which could allow a remote
   attacker to cause a denial of service.

 . CAN-2002-1384: The cupsys package contains some code from the xpdf
   package, used to convert PDF files for printing, which contains an
   exploitable integer overflow bug.  This is not present in the
   potato version.

Even though we tried very hard to fix all problems in the packages for
potato as well, the packages may still contain other security related
problems.  Hence, we advise users of potato systems using CUPS to
upgrade to woody soon.

For the current stable distribution (woody), these problems have been fixed
in version 1.1.14-4.3.

For the old stable distribution (potato), these problems have been fixed
in version 1.0.4-12.1.

For the unstable distribution (sid), these problems have been fixed in
version 1.1.18-1.

We recommend that you upgrade your CUPS packages immediately.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1.dsc
      Size/MD5 checksum:      640 4dc208e40f63d9489096094c816e0aab
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1.diff.gz
      Size/MD5 checksum:    31087 d27ef43f96213e35a3fcd43aa14a4b5a
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4.orig.tar.gz
      Size/MD5 checksum:  3147998 d753d8b3c2506a9b97bf4f22ca53f38b

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_alpha.deb
      Size/MD5 checksum:  2438248 aaa4524a445c43d51d45325f18a21a0e
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_alpha.deb
      Size/MD5 checksum:    18050 34e299da4303b82a38a897d3574a430a
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_alpha.deb
      Size/MD5 checksum:    87808 d7c294281899ab7a8e8d8158ff3d19bc
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_alpha.deb
      Size/MD5 checksum:   117740 6342f1a851a3075493f277548613fb91

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_arm.deb
      Size/MD5 checksum:  2335642 eb5abc77ec982a103cb99fd1ae44fb8e
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_arm.deb
      Size/MD5 checksum:    17042 54db853e04f164bdb6f7c3780a770f45
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_arm.deb
      Size/MD5 checksum:    64726 cac8881dd707af979bcc3b2c0774f7ad
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_arm.deb
      Size/MD5 checksum:    92574 f493560542d625644d3675fbf31a5c32

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_i386.deb
      Size/MD5 checksum:  2295330 3e977f66990a5d169d24088c22ffba34
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_i386.deb
      Size/MD5 checksum:    16746 d101cceb0b1929b21e8fa16b688b43aa
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_i386.deb
      Size/MD5 checksum:    64790 9db4d79646e4e69a763f9f73d87124a1
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_i386.deb
      Size/MD5 checksum:    83146 d62c83955dfb01d44c95a4e0066f4760

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_m68k.deb
      Size/MD5 checksum:  2244722 e16fc52c24c8c89151e104292a6c598c
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_m68k.deb
      Size/MD5 checksum:    16246 94271dc6ccfd72526b5a991b6506fd93
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_m68k.deb
      Size/MD5 checksum:    60086 91f8d44a474e0258ab10c307ffe0099e
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_m68k.deb
      Size/MD5 checksum:    76130 28bb402a4bcf5ed618089e7ef7d99650

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_powerpc.deb
      Size/MD5 checksum:  2331374 889a07299be40970d018fc3a1415dbb4
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_powerpc.deb
      Size/MD5 checksum:    16620 40f83566033cc2e9485a706839415f85
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_powerpc.deb
      Size/MD5 checksum:    68346 ee6b562330731a40feee359827c2ec32
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_powerpc.deb
      Size/MD5 checksum:    89548 1eae59dd93ac2f66f0450ca6993fc076

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.0.4-12.1_sparc.deb
      Size/MD5 checksum:  2348864 9c7717d9a987f034145e8a5de53e5cfa
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.0.4-12.1_sparc.deb
      Size/MD5 checksum:    16860 7f89e6c646e2fd71fdc64f377d994359
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1_1.0.4-12.1_sparc.deb
      Size/MD5 checksum:    71318 654ebb56f716c96073902a978cc3b463
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys1-dev_1.0.4-12.1_sparc.deb
      Size/MD5 checksum:    89346 06d607a21e84d6fb1b938ea3fcf48d43


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3.dsc
      Size/MD5 checksum:      703 731309263ec48b95ae0cb591d0ee59b4
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3.diff.gz
      Size/MD5 checksum:    35406 11bfd58a768374b366c6d96f3f94cf7e
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14.orig.tar.gz
      Size/MD5 checksum:  6150756 0dfa41f29fa73e7744903b2471d2ca2f

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3_alpha.deb
      Size/MD5 checksum:  1899754 a0b0c290488522117526ae202a7ae2ff
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.3_alpha.deb
      Size/MD5 checksum:    73784 5f1ce0319d6705a0675fb107f1494697
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.3_alpha.deb
      Size/MD5 checksum:    92426 334048c0e66cf45b751209d41b131cef
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.3_alpha.deb
      Size/MD5 checksum:  2445268 02a0f9b14cfd0406b47b4e07699af0ab
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.3_alpha.deb
      Size/MD5 checksum:   137294 180a41e8d487fa823428ff6b5feab0e3
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.3_alpha.deb
      Size/MD5 checksum:   180072 366b240f494c595371ebf0aa76495968

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3_arm.deb
      Size/MD5 checksum:  1821218 1a5a7b2f99adf59214af6310b528aaca
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.3_arm.deb
      Size/MD5 checksum:    67920 2e131a508ef69a99d4f31e00accd613f
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.3_arm.deb
      Size/MD5 checksum:    85106 89733fd8e141b714612e3fbe88aaf618
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.3_arm.deb
      Size/MD5 checksum:  2345270 1fd92dd3592d46102c123525ffba924f
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.3_arm.deb
      Size/MD5 checksum:   112238 37ba72995818f8d118ef364f8457361c
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.3_arm.deb
      Size/MD5 checksum:   149648 c0bcd3073c939bfe51c2ef6cc9271302

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3_i386.deb
      Size/MD5 checksum:  1787724 09165107e5638a2ea9bafe23d12dbc22
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.3_i386.deb
      Size/MD5 checksum:    67420 c9b102f68e45060fc20b0453f2e985c2
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.3_i386.deb
      Size/MD5 checksum:    83568 b7b51133931295233b995a986acf730b
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.3_i386.deb
      Size/MD5 checksum:  2311406 cad54ef5642381a95566137fc5e490e9
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.3_i386.deb
      Size/MD5 checksum:   110296 cbbb26f20387c8045599bba4d5067541
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.3_i386.deb
      Size/MD5 checksum:   135740 b75c3c6e99eb435e55a20b2633edcae5

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3_ia64.deb
      Size/MD5 checksum:  2007820 1c6de4f61f495706a1e7e0e3e5bcf8b2
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.3_ia64.deb
      Size/MD5 checksum:    76856 af4f10ddbbf39d2192b42c6b0e16cfe7
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.3_ia64.deb
      Size/MD5 checksum:    96580 0204b611074a972894e8a3b3c2c4eaee
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.3_ia64.deb
      Size/MD5 checksum:  2656224 6572d4626c36636f5479b852472a154c
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.3_ia64.deb
      Size/MD5 checksum:   155042 f1cf6145bec0858378f78e65ff2a079c
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.3_ia64.deb
      Size/MD5 checksum:   181986 09e81033fb7faf00339955ac17e493c5

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3_hppa.deb
      Size/MD5 checksum:  1881256 ee399012eb45487e1e83d30c9a10174b
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.3_hppa.deb
      Size/MD5 checksum:    70232 a3949939d591d301d7e209c6ea5a36ed
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.3_hppa.deb
      Size/MD5 checksum:    89246 0b2314247edf8a9476392b7bc67c2ac0
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.3_hppa.deb
      Size/MD5 checksum:  2455474 c1792566e4cc052c7ca7b88bed96424a
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.3_hppa.deb
      Size/MD5 checksum:   125938 58143366bbacda6689e29612a05acd9b
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.3_hppa.deb
      Size/MD5 checksum:   158762 5836cf0d3768ede7d67a23523457baa2

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3_m68k.deb
      Size/MD5 checksum:  1754948 d6640d147a05f075158590191e80af7c
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.3_m68k.deb
      Size/MD5 checksum:    65696 667e3dd5023a876908702c5f2e0071e8
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.3_m68k.deb
      Size/MD5 checksum:    80820 2c71139899e3d9e9b992c230f4a5c97e
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.3_m68k.deb
      Size/MD5 checksum:  2260812 73049e9e3f2ad0fdfab6beb1a7d1cf0e
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.3_m68k.deb
      Size/MD5 checksum:   105532 2cbfd4ba400ca04caa39cba0a0f747c7
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.3_m68k.deb
      Size/MD5 checksum:   128090 3947055497519ffaa0890036e93fc24a

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3_mips.deb
      Size/MD5 checksum:  1811434 e9da6135a9df048682b179d2908fa8d7
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.3_mips.deb
      Size/MD5 checksum:    67348 ed057f08a3bafd3634a2ef6e7eab5b5a
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.3_mips.deb
      Size/MD5 checksum:    80794 ec9c303425b6c7ca0bedb340a8201f97
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.3_mips.deb
      Size/MD5 checksum:  2404100 12f65dac839b6d2d55a1f0276e7977ee
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.3_mips.deb
      Size/MD5 checksum:   112088 819aeef46301ba2c8166af1cad942ff0
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.3_mips.deb
      Size/MD5 checksum:   150376 b733e7eb1639ecae09a7c2c4f6ea9843

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3_mipsel.deb
      Size/MD5 checksum:  1812224 719c8d133b723c67ccfef6a900f7e2ef
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.3_mipsel.deb
      Size/MD5 checksum:    67320 6162a88599d2bc21cead4e3ee5b831cf
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.3_mipsel.deb
      Size/MD5 checksum:    80814 9b42a74de3e7e01b9987b4f53f860364
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.3_mipsel.deb
      Size/MD5 checksum:  2406454 52841d08e5547fd033b0166c841ca5b8
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.3_mipsel.deb
      Size/MD5 checksum:   111808 461bc2686de9f820e838bace6bcc1ffb
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.3_mipsel.deb
      Size/MD5 checksum:   150196 7efb68d1171369bb54c9e782928d5497

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3_powerpc.deb
      Size/MD5 checksum:  1799712 5e5226117797dbdf5d7689303596a394
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.3_powerpc.deb
      Size/MD5 checksum:    67330 86410befd2ea69507a51f71ed823f918
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.3_powerpc.deb
      Size/MD5 checksum:    82924 4744992e3df7a94df6a3f4cbbe023c28
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.3_powerpc.deb
      Size/MD5 checksum:  2359234 fd1f62c0a8f9a323739193101094490d
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.3_powerpc.deb
      Size/MD5 checksum:   116026 818379da14940b9ea9005194b648af65
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.3_powerpc.deb
      Size/MD5 checksum:   144332 d7d5380c7ae4cfce492702f1db4b9376

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3_s390.deb
      Size/MD5 checksum:  1794976 48433fc4e46a79f6ae5fda1188ef876e
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.3_s390.deb
      Size/MD5 checksum:    68726 77be9718f9b8e591741de9593376e487
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.3_s390.deb
      Size/MD5 checksum:    85452 63aa415bcc67611fd6e1cc1878997c99
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.3_s390.deb
      Size/MD5 checksum:  2337080 22caf75ee1a362e738dd213d404a93ab
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.3_s390.deb
      Size/MD5 checksum:   114600 82d05e55a06f699d03eae259fb36e4b8
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.3_s390.deb
      Size/MD5 checksum:   140140 bf46320d0fe2af6de8461bcfeea5165b

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-4.3_sparc.deb
      Size/MD5 checksum:  1844650 ac5ea5b374299e68779dcbbfa6d25423
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-4.3_sparc.deb
      Size/MD5 checksum:    70292 12590365cf4023189e815371d4099e33
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-4.3_sparc.deb
      Size/MD5 checksum:    83726 9bde67d3c4d371d41f0a332a263240ee
    http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-4.3_sparc.deb
      Size/MD5 checksum:  2354114 8525f1296681d5e77d5c0c64b9554576
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-4.3_sparc.deb
      Size/MD5 checksum:   119750 894d0f5c439332d26d85c2aa3bee2693
    http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-4.3_sparc.deb
      Size/MD5 checksum:   145916 ef0a899b95e949cb3991ffb81a29110c


  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+LBpTW5ql+IAeqTIRAreNAJ45+921LpFIYI/b6pDwaQx7dj346QCeLfrp
7daTEgL4smJLWi/6/A2tN5w=
=FTml
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 20:16:56 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.