Re: DSA-1771-1 vs. tracker

["Michael S. Gilbert" <michael.s.gilbert@gmail.com>]

On Fri, 17 Apr 2009 22:14:24 +0200 Francesco Poli wrote:

> Hi everyone,
> DSA-1771-1 [1] was issued back on Wednesday, and the corresponding
> tracker page [2] was created.
> 
> I think there are a few inconsistencies, though.
> 
> The DSA refers to two CVEs [3][4] and to one further vulnerability
> with no CVE number yet.
> The DSA tracker page [2] only refers to the two CVEs.
> I think it would be useful to mark the CVE-less vulnerability as fixed,
> as well, maybe by referring to a TEMP, which will later be converted
> into a CVE...

there are some issues with the tracker update scripts where the DSA
links are being removed from non-numbered CVEs.  this has yet to be
addressed (i.e. the script needs to be made to be more intelligent about
this type of case).  i'll see if i can find the time to work on it.

> Moreover, the DSA says that the two CVEs are fixed
>  * for etch  in version 0.90.1dfsg-4etch19
>  * for lenny in version 0.94.dfsg.2-1lenny2
>  * for sid   in version 0.95.1+dfsg-1
> On the other hand, the CVE tracker pages [3][4] also claim
> that squeeze is fixed, even though it still has version 0.94.dfsg.2-1.
> Is this good news, or just a mistake on the tracker?

the data was misentered in the tracker.  fixed.