Hi Francesco, * Francesco Poli <email@example.com> [2008-01-22 00:24]: > DSA-1471-1  claims that libvorbis version 1.1.0-2 fixes > CVE-2007-3106, CVE-2007-4029, and CVE-2007-4066 for sarge. The DSA page >  seems to ignore this, though. Correspondent CVS pages  > consistently claim that version 1.1.0-2 is vulnerable. > > Which of the two is wrong and which is right? > > Moreover, the same DSA  claims that version 1.1.2.dfsg-1.3 fixes the > above-mentioned CVEs for etch. However the CVE-2007-4029 page  tells > a different story: it states that version 1.1.2.dfsg-1.3 is vulnerable. > Is this a security-tracker internal inconsistency? [...] The source package name was missing from the sarge tag in our DSA file. Fixed this in svn. Thanks alot for reporting! Kind regards Nico -- Nico Golde - http://www.ngolde.de - firstname.lastname@example.org - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Description: PGP signature