Re: DSA-1771-1 vs. tracker
On Fri, 17 Apr 2009 22:14:24 +0200 Francesco Poli wrote:
> Hi everyone,
> DSA-1771-1 [1] was issued back on Wednesday, and the corresponding
> tracker page [2] was created.
>
> I think there are a few inconsistencies, though.
>
> The DSA refers to two CVEs [3][4] and to one further vulnerability
> with no CVE number yet.
> The DSA tracker page [2] only refers to the two CVEs.
> I think it would be useful to mark the CVE-less vulnerability as fixed,
> as well, maybe by referring to a TEMP, which will later be converted
> into a CVE...
there are some issues with the tracker update scripts where the DSA
links are being removed from non-numbered CVEs. this has yet to be
addressed (i.e. the script needs to be made to be more intelligent about
this type of case). i'll see if i can find the time to work on it.
> Moreover, the DSA says that the two CVEs are fixed
> * for etch in version 0.90.1dfsg-4etch19
> * for lenny in version 0.94.dfsg.2-1lenny2
> * for sid in version 0.95.1+dfsg-1
> On the other hand, the CVE tracker pages [3][4] also claim
> that squeeze is fixed, even though it still has version 0.94.dfsg.2-1.
> Is this good news, or just a mistake on the tracker?
the data was misentered in the tracker. fixed.
Reply to: