Re: Incorrect information in security tracker regarding the mahara package

To: Francois Marier <francois@debian.org>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: Incorrect information in security tracker regarding the mahara package
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Thu, 22 Oct 2009 23:00:45 -0400
Message-id: <[🔎] 20091022230045.6d6c169a.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 20091022223629.GF7147@isafjordur.dyndns.org>
References: <[🔎] 20091022223629.GF7147@isafjordur.dyndns.org>

On Fri, 23 Oct 2009 11:36:29 +1300 Francois Marier wrote:

> (please CC me on replies, I'm not on this list)
> 
> Hi,
> 
> I just want to report that this issue:
> 
>   http://security-tracker.debian.org/tracker/CVE-2009-2171
> 
> does not apply to the 1.0 series of Mahara, as mentioned on the upstream
> advisory:
> 
>   http://mahara.org/interaction/forum/topic.php?id=753
> 
> So the lenny version of Mahara, 1.0.4-4+lenny3, should not be marked as
> vulnerable.

did you manually check the code?  we have to review the source code
directly because advisory texts are often inexact, incomplete, or
incorrect.

if you are able to help, that would be great.

mike

Reply to:

Follow-Ups:
- Re: Incorrect information in security tracker regarding the mahara package
  - From: Francois Marier <francois@debian.org>

References:
- Incorrect information in security tracker regarding the mahara package
  - From: Francois Marier <francois@debian.org>

Prev by Date: Re: No tracker page for DSA-1914-1
Next by Date: Re: Incorrect information in security tracker regarding the mahara package
Previous by thread: Incorrect information in security tracker regarding the mahara package
Next by thread: Re: Incorrect information in security tracker regarding the mahara package
Index(es):
- Date
- Thread