Re: DSA-1858-1 and lenny on the tracker
On Mon, 10 Aug 2009 23:32:22 +0200, Francesco Poli wrote:
> Hi all!
>
> According to DSA-1858-1 [1], a number of imagemagick vulnerabilities
> only affect etch (CVE-2007-1667 CVE-2007-1797 CVE-2007-4985
> CVE-2007-4986 CVE-2007-4987 CVE-2007-4988 CVE-2008-1096 CVE-2008-1097),
> while one affects etch and lenny (CVE-2009-1882).
> The latter (CVE-2009-1882) was fixed for lenny in version
> 7:6.3.7.9.dfsg2-1~lenny3.
>
> The tracker [2] seems to fail to correctly provide information about
> lenny, since it seems to think that all CVEs are fixed for lenny in
> version 7:6.3.7.9.dfsg2-1~lenny3 (while this is true for the last one
> only, as the other ones are already fixed in current lenny version,
> rather than in a security update).
> Moreover, the tracker seems to be still unaware of a
> 7:6.3.7.9.dfsg2-1~lenny3 security update for lenny (maybe because it
> has not yet been uploaded? see [3]).
>
> Please note that, on the other hand, etch, squeeze, and sid information
> seems to be OK in the tracker.
>
> Please fix these inconsistencies, if possible.
this is a flaw in the tracker. we don't have the ability to separate
out CVEs per release in the DSA list, so we end up with this problems
like this. i've been meaning to look into fixing this, and i may find
the time, but until then, there is no sane way to correct the problem.
mike
Reply to: