version 3.3.1 has a security hole CVE-2017-11610

Hi Janusz!

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

Versions in our releases are: trusty 3.0b2-1ubuntu0.1 and xenial 3.2.0-2ubuntu0.2. For the other releases the issue in question not affect them. For trusty and xenial we already did an security update you can find the info in the changelog. Also, see that versions affected are before 3.3.3 as the CVE informs (https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11610.html).

Decided to keep this as public-security since it has CVE and sec update info.

Thanks for the feedback. One more question from my side - why not to update to the newest supervisor instead of patching older version? I'm asking because it looks like there is always a lag on this package :) is there anything I can do to keep this package actual?

When a new release is made it take as base some debian release in that time with a bunch of aligned upstream packages is choice and all libraries are put together. What happens is that we freeze those versions to keep doing updates, such as security ones. Upstream packages don't freezes their libraries or dependency they change very quick (for some pkgs of course) so as an upstream package 'evolves' to a new version it may have new libraries or dependencies what can break a freezed release. For example, a libc dependency can break everything if it introduces new symbols from a old version to a new one.

In that scenario this package is in universe so the best we can do is do security updates in some exceptional cases, such as if it's a customer request. As you can see it has also a bit of business here.