Hello everybody! DSA-1804-1 has just been issued [1] and the corresponding tracker page [2] is online. Fixed version information for etch and lenny seems to be consistent. On the other hand, as far as squeeze and sid are concerned, the DSA claims that the two vulnerabilities are fixed in version 1:0.7.1-1.5 for sid, while squeeze will be fixed soon. The tracker pages tell a different story: they claim that CVE-2009-1574 [3] is fixed in version 0.7.1-1.4 (which seems to be correct, judging from the BTS bug [4]) and that CVE-2009-1632 [5] is fixed in version 0.7.1-1.5 (which, again, seems to be correct, see [6]). "So where's the problem?", I hear you asking. The problem is that the source package table on both CVE tracker pages [3][5] claim that squeeze is fixed with version 1:0.7.1-1.4. I think the problem is the missing epoch in the (unstable) fixed versions in the tracker pages [3][5]. Please fix this inconsistency. [1] http://lists.debian.org/debian-security-announce/2009/msg00114.html [2] http://security-tracker.debian.net/tracker/DSA-1804-1 [3] http://security-tracker.debian.net/tracker/CVE-2009-1574 [4] http://bugs.debian.org/527634 [5] http://security-tracker.debian.net/tracker/CVE-2009-1632 [6] http://bugs.debian.org/528933 P.S.: no need to Cc: me, now, since I *am* subscribed to this list! -- New location for my website! Update your bookmarks! http://www.inventati.org/frx ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgpXuCVjqjeIu.pgp
Description: PGP signature