Re: libxfont1 issues should not show up in the latently vulnerable packages list

To: debian-security-tracker@lists.debian.org
Subject: Re: libxfont1 issues should not show up in the latently vulnerable packages list
From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
Date: Sat, 5 Jul 2008 22:00:08 -0400
Message-id: <[🔎] 8e2a98be0807051900j793db1e1s45bd95eff9977a91@mail.gmail.com>
In-reply-to: <20080508135326.GA2123@patate.is-a-geek.org>
References: <8e2a98be0805031652o1d474fb8x2b5171673c9d9226@mail.gmail.com> <20080508135326.GA2123@patate.is-a-geek.org>

>> it appears that the recent libxfont1 issues (CVE-2007-5760,
>> CVE-2007-5958, CVE-2007-6427, CVE-2007-6428, and CVE-2007-6429) never
>> affected sid (they were applicable only to sarge and etch [1]).
>
> They were applicable to sid too, but have nothing to do with libXfont,
> they are bugs in the X server.  CVE-2008-0006 was fixed at the same
> time, and actually affected libXfont.

if that is the case, then shouldn't these libxfont1 issues be removed
from the "Latently vulnerable packages in unstable" list [1]?

looking at the individual CVEs (CVE-2007-5760, CVE-2007-5958,
CVE-2007-6427, CVE-2007-6428, and CVE-2007-6429), they all say that
unstable is "not vulnerable".

[1] http://security-tracker.debian.net/tracker/data/latently-vulnerable

Reply to:

Follow-Ups:
- Re: libxfont1 issues should not show up in the latently vulnerable packages list
  - From: Nico Golde <nico@ngolde.de>

Prev by Date: Re: automatically add DSA's
Next by Date: Re: libxfont1 issues should not show up in the latently vulnerable packages list
Previous by thread: Re: automatically add DSA's
Next by thread: Re: libxfont1 issues should not show up in the latently vulnerable packages list
Index(es):
- Date
- Thread