[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

DSA-1771-1 vs. tracker

Hi everyone,
DSA-1771-1 [1] was issued back on Wednesday, and the corresponding
tracker page [2] was created.

I think there are a few inconsistencies, though.

The DSA refers to two CVEs [3][4] and to one further vulnerability
with no CVE number yet.
The DSA tracker page [2] only refers to the two CVEs.
I think it would be useful to mark the CVE-less vulnerability as fixed,
as well, maybe by referring to a TEMP, which will later be converted
into a CVE...

Moreover, the DSA says that the two CVEs are fixed
 * for etch  in version 0.90.1dfsg-4etch19
 * for lenny in version 0.94.dfsg.2-1lenny2
 * for sid   in version 0.95.1+dfsg-1
On the other hand, the CVE tracker pages [3][4] also claim
that squeeze is fixed, even though it still has version 0.94.dfsg.2-1.
Is this good news, or just a mistake on the tracker?

Please clarify and/or correct these inconsistencies.

[1] http://lists.debian.org/debian-security-announce/2009/msg00082.html
[2] http://security-tracker.debian.net/tracker/DSA-1771-1
[3] http://security-tracker.debian.net/tracker/CVE-2008-6680
[4] http://security-tracker.debian.net/tracker/CVE-2009-1270

P.S.: Please Cc: me on replies, as I am not a list subscriber.  Thanks.

 New location for my website! Update your bookmarks!
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgpV0r2ofQZJG.pgp
Description: PGP signature

Reply to: