| Summary: | pdns is newer in MDV 2010.2 (contrib) updates than Mageia 1 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Remco Rijnders <remco> |
| Status: | RESOLVED WONTFIX | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, dmorganec, fundawang, remco |
| Version: | 1 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | pdns-2.9.22.5-1.mga1.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-01-29 22:02:51 CET
Hi, thanks for reporting this bug. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it) CC:
(none) =>
dmorganec, fundawang Won't fix, as it introduces a major version bump of server app, which should not happen for stable version only for upgrading from Mandriva. Plus, contrib/updates is always thought of unsupported in Mandriva. Status:
NEW =>
RESOLVED For Mageia 1, upgrades from MDV 2010.2 are supposed to be supported. Having an older app like this is a problem, because it will get left on a system, and will not receive any updates to it (if there are any, including security updates) from us because we have an older version, nor any updates from MDV because the system won't be connected to their repositories anymore. The distinction MDV makes about contrib being unsupported is not meaningful in Mageia; all packages are supposed to be supported. If we are going to make an exception for this package, at the very least it needs to be mentioned in places like the release notes and instructions for upgrading from MDV 2010.2. Status:
RESOLVED =>
REOPENED Just to be clear, I understand your point about not wanting to do major version upgrades, but we've had to do some others to stay in line with some MDV 2010.2 updates. We can avoid this in the future with future Mageia releases. For Mageia 1, we just have to deal with it to ease the transition.
Remco Rijnders
2012-02-27 12:58:27 CET
CC:
(none) =>
remco
Remco Rijnders
2012-03-19 07:01:11 CET
Assignee:
bugsquad =>
remco There is also a security bug that was fixed in 3.0.1, CVE-2012-0206: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0206 Debian issued an advisory for it on January 10: http://www.debian.org/security/2012/dsa-2385 Component:
RPM Packages =>
Security
Manuel Hiebel
2012-04-07 20:38:12 CEST
Assignee:
bugsquad =>
remco Not sure how this got assigned to me... but I have the feeling that at this point in time we run more chance of inconveniencing users with an upgrade of the package in Mageia 1 than that we inconvenience users wanting to upgrade from Mandriva 2010* to Mageia 1. Especially with Mageia 2 around the corner, we probably should focus on that, and that package is of 3.0.1. It is a bit murky though, and I think Mandriva should not have shipped 3.0.1 as update for a stable release, but unfortunately we can't dictate their update/upgrade policies. As for comment #5, the version we have in core-updates does not suffer this security bug. David, I hope you agree that we best close this report for now. Status:
REOPENED =>
RESOLVED (In reply to comment #6) > David, I hope you agree that we best close this report for now. Not exactly. To quote Comment 3: If we are going to make an exception for this package, at the very least it needs to be mentioned in places like the release notes and instructions for upgrading from MDV 2010.2. Users upgrading to Mageia 2 will apparently be fine, but we're still leaving users on Mageia 1 hanging, and not communicating the issue in any way. Granted, the security bug isn't present in our version, which is good, but if any new security bugs come out for this package, it will be a problem. If the Core Updates version is not susceptible to the problem, wouldn't it be ok to just increase the version number, so that it will replace the Mandriva 2010.2 version? Is it safe to downgrade pdsn from 3.0.1 to 2.9.22? CC:
(none) =>
davidwhodgins (In reply to comment #8) > If the Core Updates version is not susceptible to the problem, > wouldn't it be ok to just increase the version number, so that > it will replace the Mandriva 2010.2 version? Is it safe to > downgrade pdsn from 3.0.1 to 2.9.22? You mean package 2.9.22 and call it 3.0.1? That would be pretty disingenuous. But we could accomplish the same thing by adding an epoch to the package, so that ours would upgrade theirs, regardless of the version. Of course, your last question would still need to be answered affirmatively for that to be OK. (In reply to comment #9) > You mean package 2.9.22 and call it 3.0.1? That would be pretty disingenuous. > But we could accomplish the same thing by adding an epoch to the package, so > that ours would upgrade theirs, regardless of the version. Of course, your > last question would still need to be answered affirmatively for that to be OK. That's what I was thinking. Looking at the changes though, it doesn't look like it. 3.0.1 is just 3.0 plus the security patch, but 3.0 adds dnssec processing, so if a user has enabled that, then the downgrade would break things. Looks like we'll have to let Mandriva->Mageia upgrades fail on this package. I still don't see why we can't just backport 3.0.1 to Mageia 1, like we've done with every other package in this situation. (In reply to comment #11) > I still don't see why we can't just backport 3.0.1 to Mageia 1, like we've done > with every other package in this situation. From http://doc.powerdns.com/upgrades.html#from2.9to3.0 ... An upgrade from 2.9.x to 3.0 should always be monitored carefully. That's not suitable for a stable release update, especially since the security problem doesn't apply. It'd be nice if we could document somewhere obvious the packages that haven't been, and probably won't be, updated in Mageia to be newer than MDV 2010.2. Those would be pdns, c-icap, corsixth, wordpress, avalon-framework, and jsr-305. |