Hi all! DSA 1389-1 [1] claims that zoph version 0.3.3-12sarge2 fixes CVE-2007-3905 for sarge-security. However, the CVE page [2] states that zoph in sarge-security is still 0.3.3-12sarge1 and still vulnerable. The PTS [3] seems to confirm that no 0.3.3-12sarge2 exists (yet). On the other hand the DSA [1] provides MD5 checksums for zoph version 0.3.3-12sarge1, which is old [4] and does not seem to fix CVE-2007-3905 Well, I'm lost... Is this an inconsistency? [1] http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00164.html [2] http://security-tracker.debian.net/tracker/CVE-2007-3905 [3] http://packages.qa.debian.org/z/zoph.html [4] http://packages.qa.debian.org/z/zoph/news/20060310T184711Z.html DSA 1390-1 [5] claims that t1lib version 5.0.2-3sarge1 and version 5.1.0-2etch1 fix CVE-2007-4033 for sarge-security and etch-security, respectively. However, the CVE page [6] states that those very versions are vulnerable. Is this an inconsistency? [5] http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00165.html [6] http://security-tracker.debian.net/tracker/CVE-2007-4033 Please correct the above described inconsistencies (as long as they actually are inconsistencies!), and please keep on with the good job you are doing to improve the security of Debian! Thank you very much. P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks. -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgp4iRmpqSpCG.pgp
Description: PGP signature