Hi all! I have already reported the general issue: http://lists.debian.org/debian-security-tracker/2009/02/msg00006.html and all the specific inconsistencies were fixed at the time: http://lists.debian.org/debian-security-tracker/2009/03/msg00008.html However, this kind of issue seems to pop up again. There are vulnerabilities in the tracker that show up as fixed in lenny, and as unfixed in squeeze, despite the package version is the *same* in the two suites. For instance, various linux-2.6 vulnerabilities are affected by this apparent inconsistency: http://security-tracker.debian.net/tracker/CVE-2009-1527 http://security-tracker.debian.net/tracker/CVE-2009-0031 http://security-tracker.debian.net/tracker/CVE-2009-0322 http://security-tracker.debian.net/tracker/CVE-2009-0675 http://security-tracker.debian.net/tracker/CVE-2009-0676 http://security-tracker.debian.net/tracker/CVE-2009-0745 http://security-tracker.debian.net/tracker/CVE-2009-0746 http://security-tracker.debian.net/tracker/CVE-2009-0747 http://security-tracker.debian.net/tracker/CVE-2009-0748 http://security-tracker.debian.net/tracker/CVE-2009-0935 http://security-tracker.debian.net/tracker/CVE-2009-1360 http://security-tracker.debian.net/tracker/CVE-2009-0029 http://security-tracker.debian.net/tracker/CVE-2009-0787 http://security-tracker.debian.net/tracker/CVE-2009-0065 http://security-tracker.debian.net/tracker/CVE-2009-0269 Moreover, it is my understanding that a security update for stable is automatically used for testing too, whenever testing does not have any newer version of the package. If this is the case, then I think another number of tracker inconsistencies are present: lenny and squeeze are considered vulnerable (with the same package version), "lenny (security)" is considered fixed, but there is no "squeeze (security)" fixed entry. Again looking at linux-2.6, here are the examples: http://security-tracker.debian.net/tracker/CVE-2009-0834 http://security-tracker.debian.net/tracker/CVE-2009-0835 http://security-tracker.debian.net/tracker/CVE-2009-0028 http://security-tracker.debian.net/tracker/CVE-2009-1046 http://security-tracker.debian.net/tracker/CVE-2009-1072 http://security-tracker.debian.net/tracker/CVE-2009-1184 http://security-tracker.debian.net/tracker/CVE-2009-1192 http://security-tracker.debian.net/tracker/CVE-2009-1242 http://security-tracker.debian.net/tracker/CVE-2009-1265 http://security-tracker.debian.net/tracker/CVE-2009-1337 http://security-tracker.debian.net/tracker/CVE-2009-1338 http://security-tracker.debian.net/tracker/CVE-2009-1439 Please fix these inconsistencies. -- New location for my website! Update your bookmarks! http://www.inventati.org/frx ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgptmdr9nj_ze.pgp
Description: PGP signature