[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

New tracker inconsistencies



Hi all!

DSA 1389-1 [1] claims that zoph version 0.3.3-12sarge2 fixes
CVE-2007-3905 for sarge-security.
However, the CVE page [2] states that zoph in sarge-security is still
0.3.3-12sarge1 and still vulnerable.
The PTS [3] seems to confirm that no 0.3.3-12sarge2 exists (yet).
On the other hand the DSA [1] provides MD5 checksums for zoph version
0.3.3-12sarge1, which is old [4] and does not seem to fix CVE-2007-3905

Well, I'm lost...
Is this an inconsistency?

[1] http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00164.html
[2] http://security-tracker.debian.net/tracker/CVE-2007-3905
[3] http://packages.qa.debian.org/z/zoph.html
[4] http://packages.qa.debian.org/z/zoph/news/20060310T184711Z.html


DSA 1390-1 [5] claims that t1lib version 5.0.2-3sarge1 and version
5.1.0-2etch1 fix CVE-2007-4033 for sarge-security and etch-security,
respectively.
However, the CVE page [6] states that those very versions are
vulnerable.

Is this an inconsistency?

[5] http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00165.html
[6] http://security-tracker.debian.net/tracker/CVE-2007-4033


Please correct the above described inconsistencies (as long as they
actually are inconsistencies!), and please keep on with the good job you
are doing to improve the security of Debian!
Thank you very much.


P.S.: Please Cc: me on replies, as I am not a list subscriber.  Thanks.

-- 
 http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html
 Need to read a Debian testing installation walk-through?
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgpyJRj917jC4.pgp
Description: PGP signature


Reply to: