[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

DSA-1471-1 vs. tracker

Hi all!

DSA-1471-1 [1] claims that libvorbis version 1.1.0-2 fixes
CVE-2007-3106, CVE-2007-4029, and CVE-2007-4066 for sarge.  The DSA page
[2] seems to ignore this, though.  Correspondent CVS pages [3][4][5]
consistently claim that version 1.1.0-2 is vulnerable.

Which of the two is wrong and which is right?

Moreover, the same DSA [1] claims that version 1.1.2.dfsg-1.3 fixes the
above-mentioned CVEs for etch.  However the CVE-2007-4029 page [4] tells
a different story: it states that version 1.1.2.dfsg-1.3 is vulnerable.
Is this a security-tracker internal inconsistency?

[1] http://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00031.html
[2] http://security-tracker.debian.net/tracker/DSA-1471-1
[3] http://security-tracker.debian.net/tracker/CVE-2007-3106
[4] http://security-tracker.debian.net/tracker/CVE-2007-4029
[5] http://security-tracker.debian.net/tracker/CVE-2007-4066

Please correct these inconsistencies (as long as they really are 

Thank you very much for your efforts to improve Debian security!

P.S.: Please Cc: me on replies, as I am not a list subscriber.  Thanks.

 New! Version 0.6 available! What? See for yourself!
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgp32F47tYs0f.pgp
Description: PGP signature

Reply to: