Hi again! DSA-1612-1 [1] has been recently issued and a corresponding tracker page [2] was added. However, it seems that there's a couple of inconsistencies between the DSA and the tracker. First off, the tracker page [2] lists one seemingly spurious CVE as fixed by this DSA: it claims that CVE-2006-2662 [3] is fixed by ruby1.8/1.8.5-4etch2, but CVE-2006-2662 seems to talk about VMware Server, not about Ruby! I think this CVE was added to the tracker page [2] by mistake... Secondly, the DSA [1] claims that all the CVEs are fixed in unstable by ruby1.8/1.8.7.22-2, while the tracker page for CVE-2008-2376 [4] claims that ruby1.8/1.8.7.22-2 is still vulnerable. If these are actual inconsistencies, please fix them ASAP. Thanks for your efforts in improving Debian security! [1] http://lists.debian.org/debian-security-announce/2008/msg00195.html [2] http://security-tracker.debian.net/tracker/DSA-1612-1 [3] http://security-tracker.debian.net/tracker/CVE-2006-2662 [4] http://security-tracker.debian.net/tracker/CVE-2008-2376 P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks. -- http://frx.netsons.org/doc/index.html#nanodocs The nano-document series is here! ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgpANgp_iSe4J.pgp
Description: PGP signature