Hi Michael, where did the reply come from? It never ended up on this list :/ * Michael Gilbert <email@example.com> [2008-07-06 11:23]: > >> it appears that the recent libxfont1 issues (CVE-2007-5760, > >> CVE-2007-5958, CVE-2007-6427, CVE-2007-6428, and CVE-2007-6429) never > >> affected sid (they were applicable only to sarge and etch ). > > > > They were applicable to sid too, but have nothing to do with libXfont, > > they are bugs in the X server. CVE-2008-0006 was fixed at the same > > time, and actually affected libXfont. > > if that is the case, then shouldn't these libxfont1 issues be removed > from the "Latently vulnerable packages in unstable" list ? > > looking at the individual CVEs (CVE-2007-5760, CVE-2007-5958, > CVE-2007-6427, CVE-2007-6428, and CVE-2007-6429), they all say that > unstable is "not vulnerable". > >  http://security-tracker.debian.net/tracker/data/latently-vulnerable Looking at the underlying tracker data the problem seems to be that DSA-1466-2 included an upload for libxfont for the above CVE ids while only CVE-2008-0006 was fixed in the update of libxfont. Also only CVE-2008-0006 applies to the package in testing/unstable. I am not quite sure how to fix this, if it would be an option to only list packages as latently vulnerable in unstable if they have an <unfixed> tag in the tracker data or if it is possible to split libxfont from the other CVE ids in the DSA entry or maybe there is an even more simple solution. Anyone knows more? -- Nico Golde - http://www.ngolde.de - firstname.lastname@example.org - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Description: PGP signature