Hi all! DSA-1471-1 [1] claims that libvorbis version 1.1.0-2 fixes CVE-2007-3106, CVE-2007-4029, and CVE-2007-4066 for sarge. The DSA page [2] seems to ignore this, though. Correspondent CVS pages [3][4][5] consistently claim that version 1.1.0-2 is vulnerable. Which of the two is wrong and which is right? Moreover, the same DSA [1] claims that version 1.1.2.dfsg-1.3 fixes the above-mentioned CVEs for etch. However the CVE-2007-4029 page [4] tells a different story: it states that version 1.1.2.dfsg-1.3 is vulnerable. Is this a security-tracker internal inconsistency? [1] http://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00031.html [2] http://security-tracker.debian.net/tracker/DSA-1471-1 [3] http://security-tracker.debian.net/tracker/CVE-2007-3106 [4] http://security-tracker.debian.net/tracker/CVE-2007-4029 [5] http://security-tracker.debian.net/tracker/CVE-2007-4066 Please correct these inconsistencies (as long as they really are inconsistencies!). Thank you very much for your efforts to improve Debian security! P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks. -- http://frx.netsons.org/progs/scripts/refresh-pubring.html New! Version 0.6 available! What? See for yourself! ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgp32F47tYs0f.pgp
Description: PGP signature