[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DSA-1471-1 vs. tracker

Hi Francesco,
* Francesco Poli <frx@firenze.linux.it> [2008-01-22 00:24]:
> DSA-1471-1 [1] claims that libvorbis version 1.1.0-2 fixes
> CVE-2007-3106, CVE-2007-4029, and CVE-2007-4066 for sarge.  The DSA page
> [2] seems to ignore this, though.  Correspondent CVS pages [3][4][5]
> consistently claim that version 1.1.0-2 is vulnerable.
> Which of the two is wrong and which is right?
> Moreover, the same DSA [1] claims that version 1.1.2.dfsg-1.3 fixes the
> above-mentioned CVEs for etch.  However the CVE-2007-4029 page [4] tells
> a different story: it states that version 1.1.2.dfsg-1.3 is vulnerable.
> Is this a security-tracker internal inconsistency?
The source package name was missing from the sarge tag in 
our DSA file. Fixed this in svn. Thanks alot for reporting!
Kind regards
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgp2Clh7eh6O7.pgp
Description: PGP signature

Reply to: