[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: No tracker page for DSA-1940-1

On Thu, 26 Nov 2009 00:03:30 +0100 Francesco Poli wrote:

> On Wed, 25 Nov 2009 23:36:50 +0100 Francesco Poli wrote:
> 
> > Hello everyone,
> > it seems to me that there's no tracker page for the just issued
> > DSA-1940-1.
> > 
> > Please update the tracker.
> 
> The tracker page is now present, but there's a discrepancy that I would
> like to point out: the DSA claims that the issues are fixed in
> php5/5.2.11.dfsg.1-2 for sid and squeeze.
> However, the tracker (on the individual CVE pages) says that
> php5/5.2.11.dfsg.1-1 is fixed.
> By looking at the BTS bugs, it seems that this is true at least for
> CVE-2009-2626 and CVE-2009-2687, but there's no indication that this
> should be the case for CVE-2009-3291 and CVE-2009-3292...
> 
> Could you please clarify?

bugs are not necessarily submitted (nor required) for every issue.
looking at the php changelog [0], you can see that these issues were
claimed fixed in 5.2.11 by the upstream developers; hence the present
tracking.  of course just looking at the changelog isn't normally
sufficient, but in this case Raphael already did the triage, and i
have to assume he did the appropriate level of checking then.

mike

[0] http://php.net/ChangeLog-5.php
Reply to: