[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

DSA-1804-1 vs. tracker

Hello everybody!

DSA-1804-1 has just been issued [1] and the corresponding tracker page
[2] is online.
Fixed version information for etch and lenny seems to be consistent.
On the other hand, as far as squeeze and sid are concerned, the DSA
claims that the two vulnerabilities are fixed in version 1:0.7.1-1.5
for sid, while squeeze will be fixed soon.
The tracker pages tell a different story: they claim that CVE-2009-1574
[3] is fixed in version 0.7.1-1.4 (which seems to be correct, judging
from the BTS bug [4]) and that CVE-2009-1632 [5] is fixed in version
0.7.1-1.5 (which, again, seems to be correct, see [6]).

"So where's the problem?", I hear you asking.
The problem is that the source package table on both CVE tracker pages
[3][5] claim that squeeze is fixed with version 1:0.7.1-1.4.

I think the problem is the missing epoch in the (unstable) fixed
versions in the tracker pages [3][5].

Please fix this inconsistency.

[1] http://lists.debian.org/debian-security-announce/2009/msg00114.html
[2] http://security-tracker.debian.net/tracker/DSA-1804-1
[3] http://security-tracker.debian.net/tracker/CVE-2009-1574
[4] http://bugs.debian.org/527634
[5] http://security-tracker.debian.net/tracker/CVE-2009-1632
[6] http://bugs.debian.org/528933

P.S.: no need to Cc: me, now, since I *am* subscribed to this list!

 New location for my website! Update your bookmarks!
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgpN_5Koc5qWf.pgp
Description: PGP signature

Reply to: