The Release Cycle section shows how the classic patching process of
distributions isn't always effective, and can even introduce additional
bugs and vulnerabilities non present in the upstream project. The two
linked examples, though, are not that insightful; the first one links to
a double free caused by an erroneous bugfix backport, while the second
shows a simple crash, but caused by a patch not relevant to the backport
of patches but wrote by a Debian developer trying to port the library
to another kernel. In short, the second linked bug has little to do with
the issue described in the guide.
This small patch replaces the aforementioned Firefox bug report with
the Debian Security Advisory 1571 (DSA-1571), describing a serious bug
introduced in the OpenSSL crypto library by an incautious backport of a
security fix, only present in Debian's OpenSSL package. In my opinion, it
gives to the reader a clearer idea of what a partial backport can cause.
Signed-off-by: Andrea Pappacoda <andrea@pappacoda.it>
