Hi all,
I've seen on the list archives that the tracker has been updated to
reflect the stable -> oldstable shift, but there's something that looks
wrong to me.
The testing branch is now reported [1] with some 75 more security
holes than before the update.
This means that squeeze, which is currently virtually identical to
lenny, is claimed to be affected by 75 more vulnerabilities than
lenny...
I think the issue is that many bugs which were tagged as fixed in lenny
are not equally considered as fixed in squeeze, even though the two
branches (lenny and squeeze) have the same exact version of the
affected package.
An example is CVE-2008-2469 [2], where the version table is:
Source Package Release Version Status
libspf2 (PTS) etch, etch (security) 1.2.5-4+etch1 fixed
lenny, lenny (security) 1.2.5.dfsg-5+lenny1 fixed
squeeze 1.2.5.dfsg-5+lenny1 vulnerable
etch-backports 1.2.5.dfsg-5+lenny1~bpo40+1 vulnerable
sid 1.2.9-1 fixed
since the fixed versions data are:
Package Type Release Fixed Version Urgency Origin Debian Bugs
libspf2 source (unstable) 1.2.9-1 high
libspf2 source etch 1.2.5-4+etch1 unknown DSA-1659-1
libspf2 source lenny 1.2.5.dfsg-5+lenny1 unknown DTSA-172-1
I think this situation is incorrect and should be rectified ASAP.
Even better: an automated mechanism should be implemented in order to
prevent such situation from happening during next releases...
[1] http://security-tracker.debian.net/tracker/status/release/testing
[2] http://security-tracker.debian.net/tracker/CVE-2008-2469
P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks.
--
On some search engines, searching for my nickname AND
"nano-documents" may lead you to my website...
..................................................... Francesco Poli .
GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgprSTZBmu7va.pgp
Description: PGP signature