Hi Francesco, * Francesco Poli <frx@firenze.linux.it> [2008-01-22 00:24]: > DSA-1471-1 [1] claims that libvorbis version 1.1.0-2 fixes > CVE-2007-3106, CVE-2007-4029, and CVE-2007-4066 for sarge. The DSA page > [2] seems to ignore this, though. Correspondent CVS pages [3][4][5] > consistently claim that version 1.1.0-2 is vulnerable. > > Which of the two is wrong and which is right? > > Moreover, the same DSA [1] claims that version 1.1.2.dfsg-1.3 fixes the > above-mentioned CVEs for etch. However the CVE-2007-4029 page [4] tells > a different story: it states that version 1.1.2.dfsg-1.3 is vulnerable. > Is this a security-tracker internal inconsistency? [...] The source package name was missing from the sarge tag in our DSA file. Fixed this in svn. Thanks alot for reporting! Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgp2Clh7eh6O7.pgp
Description: PGP signature