"New installations (of Debian 3.1 from CD and DVD) will not get security updates by default," Debian developer Colin Watson wrote in an e-mail warning. Installations from floppy disks or network servers were not affected.
Watson apologized and asked vendors to delay burning CDs or DVDs of Debian 3.1, saying that an update would be available shortly. However, Steve Langasek--another member of the release team--said on his blog that it would probably be a day or two before the updated CDs and DVDs were available everywhere.
"Whoops," Langasek wrote. "Don't go pressing those 10,000 copies of (3.1) just yet."
The good news for those who have already installed the operating system is that fixing the problem is a simple matter of replacing an entry in a configuration file.
Version 3.1 has been long anticipated by the Debian community, as it's been three years since the last major release of the software. This cycle is significantly slower than that followed by competing Linux vendors such as Red Hat.
Debian is not the only high-profile software project to be forced to fix a security flaw shortly after the time of release.
Netscape fixed two critical flaws in the new version of its browser in a similarly short time frame after it was released late last month. Ironically, Netscape marketed the release as being able to provide users with additional security features not found elsewhere.