On 2010-12-19, Adam D. Barratt <adam@funky-badger.org> wrote:
> On Sun, 2010-12-19 at 14:46 +0100, Moritz Muehlenhoff wrote:
>> On 2010-12-18, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
>> > The security tracker seems to be somewhat confused here, fwiw -
>> > http://security-tracker.debian.org/tracker/CVE-2010-164{7,8} both claim
>> > that the issue was fixed in -2lenny5.
>>
>> The are both marked as no-dsa:
>>
>> CVE-2010-1648 (Cross-site request forgery (CSRF) vulnerability in the login interface ...)
>> - mediawiki 1.15.4-1 (bug #585918; low)
>> [lenny] - mediawiki <no-dsa> (Minor issue)
>> NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
>> CVE-2010-1647 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before ...)
>> - mediawiki 1.15.4-1 (bug #585918; low)
>> [lenny] - mediawiki <no-dsa> (Minor issue)
>> NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
>
> Yeah, I spotted that when looking at the tracker while checking the
> request over. It just seemed odd that they were already marked as fixed
> in -2lenny5 when that upload clearly didn't include the fixes.
The security tracker status page is a bit confusing: It takes the "no-dsa" tag
as a "no further action needed from security team's side, since it's a negligable
issue" and doesn't differentiate to "no further action needed from security team's
side, since it's fixed".
Cheers,
Moritz