Re: Tracker inconsistency regarding gallery2?
On Sat, Nov 10, 2007 at 07:35:38PM +0100, Thijs Kinkhorst wrote:
> Hi All,
> On Friday 9 November 2007 23:52, Francesco Poli wrote:
> > Hi all again!
> > DSA 1404-1  claims that gallery2 version 2.1.2-2.0.etch.1 fixes
> > CVE-2007-4650 for etch.
> > The DSA page  seems to confirm this.
> > However the CVE page  tells a different story: it states that version
> > 2.1.2-2.0.etch.1 is vulnerable.
> > Is this a security-tracker internal inconsistency?
> I'm a bit confused by this. The tracker information now says:
> CVE-2007-4650 (Multiple unspecified vulnerabilities in Gallery before 2.2.3
> allow ...)
> - gallery2 2.2.3-1
> [etch] - gallery2 <unfixed> (bug #441407)
Suite-specific <unfixed> entries should not be used for the exact reason
Francesco reported: The suited-specific tag overlays the general entry
set by the DSA/list data. It's also not necessary here, since
"- gallery2 2.2.3-1" marks all older versions implicitly as unfixed.
The few cornercases where suite-specific unfixed entries are useful are
cases, where a source package has been renamed and is no longer present
Since it's not obvious it should be added to the Tracker docs (unless it