Hi Francesco, * Francesco Poli <frx@firenze.linux.it> [2008-07-23 00:19]: [...] > First off, the tracker page [2] lists one seemingly spurious CVE as > fixed by this DSA: it claims that CVE-2006-2662 [3] is fixed by > ruby1.8/1.8.5-4etch2, but CVE-2006-2662 seems to talk about VMware > Server, not about Ruby! > I think this CVE was added to the tracker page [2] by mistake... This is a bug in the original DSA advisory, it references CVE-2006-2662 and as the DSA tracker data is now automatically updated via the advisories this bug made it into the tracker as well. Thanks for spotting this, it's of course CVE-2008-2662. > Secondly, the DSA [1] claims that all the CVEs are fixed in unstable by > ruby1.8/1.8.7.22-2, while the tracker page for CVE-2008-2376 [4] claims > that ruby1.8/1.8.7.22-2 is still vulnerable. Fixed > If these are actual inconsistencies, please fix them ASAP. > > Thanks for your efforts in improving Debian security! Thanks again for spotting this! Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgpYULMfyZ6N7.pgp
Description: PGP signature