Comment by shakna

3 days ago

The "outdated" package, probably has all these security fixes [0]. That's why it exists - to maintain something safely. You step back from latest and greatest, to not get a compromised system the next time something goes wrong.

[0] https://sources.debian.org/patches/jq/1.7.1-6+deb13u2/

3 comments

shakna

Reply
Milpotel  2 days ago

Nope, it hasn't because developers fix bugs along the way without notifying package maintainers.

  • shakna  2 days ago

    You might need to expand on that. Considering the CVE patches that are on the link I just shared.

    • Milpotel  6 hours ago

      What's so hard? A developer finds a bug, fixes it, publishes a new release at some point, done. Versus someone else finds a bug, maybe opens a CVE, bug gets fixed, maintainer might notice it, backports patch and fixes (or breaks) the package. The latter CVE case is the rare case, hence all the crashes. E.g. Busybox is famous for that. They have a plethora of security issues documented in their bug tracker. Sometimes they even get fixed but most of them never get a CVE, issues stay open and you can guess if it's vulnerable or not (usually it is, don't use it).