Hi On Fri, 7 Dec 2007 05:17:48 pm dom@alioth.debian.org wrote: > Author: dom > Date: 2007-12-07 16:17:48 +0000 (Fri, 07 Dec 2007) > New Revision: 7545 > > Modified: > data/CVE/list > Log: > Details for e2fsprogs > > > Modified: data/CVE/list > =================================================================== > --- data/CVE/list 2007-12-07 13:45:28 UTC (rev 7544) > +++ data/CVE/list 2007-12-07 16:17:48 UTC (rev 7545) > @@ -2426,8 +2426,9 @@ > REJECTED > CVE-2007-5498 > RESERVED > -CVE-2007-5497 > - RESERVED > +CVE-2007-5497 (Multiple integer overflows in libext2fs in e2fsprogs ...) > + - e2fsprogs 1.37-2sarge1 > + - e2fsprogs 1.39+1.40-WIP-2006.11.14+dfsg-2 > CVE-2007-5496 > RESERVED > CVE-2007-5495 Sarge is not fixed yet. If the package gets fixed via a DSA, we edit the file data/DSA/list and this automatically adds a note to data/CVE/list . Same goes for DTSAs. What you could do is adding the e2fsprogs stuf under RESERVED. For data/CVE/list, you should only add the fixed unstable version or use something like: - $package $fixed_sid_version (high; bug 123) [etch] - $package <no-dsa> (not important) Cheers Steffen
Attachment:
signature.asc
Description: This is a digitally signed message part.