[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Tracker inconsistency regarding gallery2?

On Sat, Nov 10, 2007 at 07:35:38PM +0100, Thijs Kinkhorst wrote:
> Hi All,
> 
> On Friday 9 November 2007 23:52, Francesco Poli wrote:
> > Hi all again!
> >
> > DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes
> > CVE-2007-4650 for etch.
> > The DSA page [2] seems to confirm this.
> > However the CVE page [3] tells a different story: it states that version
> > 2.1.2-2.0.etch.1 is vulnerable.
> > Is this a security-tracker internal inconsistency?
> 
> I'm a bit confused by this. The tracker information now says:
> 
> CVE-2007-4650 (Multiple unspecified vulnerabilities in Gallery before 2.2.3 
> allow ...)
>         {DSA-1404-1}
>         - gallery2 2.2.3-1
>         [etch] - gallery2 <unfixed> (bug #441407)

Suite-specific <unfixed> entries should not be used for the exact reason
Francesco reported: The suited-specific tag overlays the general entry
set by the DSA/list data. It's also not necessary here, since 
"- gallery2 2.2.3-1" marks all older versions implicitly as unfixed.

The few cornercases where suite-specific unfixed entries are useful are
cases, where a source package has been renamed and is no longer present
in unstable.

Since it's not obvious it should be added to the Tracker docs (unless it
exists already)

Cheers,
        Moritz
Reply to: