On Sat, 20 Dec 2008 01:30:39 pm Francesco Poli wrote: > Hi list, > DTSA-180-1 has just been issued [1]. > It claims that courier-authlib/0.61.0-1+lenny1 fixes CVE-2008-2380 in > lenny (security). > The tracker page [2] for CVE-2008-2380 is awkward, though. > It includes the following vulnerability table: > > courier-authlib (PTS) etch 0.58-4 vulnerable > lenny 0.61.0-1 vulnerable > lenny (security) 0.61.0-1+lenny1 fixed > sid 0.61.0-1+lenny1 vulnerable > > This looks strange to me, since the same package version is considered > as fixed in lenny (security), but vulnerable in sid... > Does this depend on some obscure interaction with other packages? > Or should the CVE be marked as fixed in sid, too? I wasn't aware of the new dak feature on ftp-master that uploads to testing-security, which are newer than the unstable version get put into unstable as well. I've marked it as fixed in sid now as well. Since the issue was embargoed, it was fixed via testing-security first and prepared in secret. > [1] http://security-tracker.debian.net/tracker/DTSA-180-1 > [2] http://security-tracker.debian.net/tracker/CVE-2008-2380 > > P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks. You appear to be a regular, so why not subscribing? ;) Also Moritz offered you commit access to the tracker, do you have any intention to follow up on it? Feel free to query me on IRC, if you want to discuss this further (nick "white"). Cheers Steffen
Attachment:
signature.asc
Description: This is a digitally signed message part.