Re: DSA-2000-1 vs. tracker
On Fri, 19 Feb 2010 21:32:49 +0100, Francesco Poli wrote:
> On Thu, 18 Feb 2010 22:40:31 -0500 Michael Gilbert wrote:
>
> > On Fri, 19 Feb 2010 00:53:40 +0100 Francesco Poli wrote:
> [...]
> > > The DSA claims that nine vulnerabilities are fixed in version 4:0.5
> > > +svn20090706-5 for sid, but the CVE tracker pages (linked from the DSA
> > > tracker page [2]) disagree.
> [...]
> >
> > the maintainer commited a bunch of patches in -3, and stated that the
> > issues were fixed, but i can't find enough info to verify this yet, so
> > i would not be confident in changing the tracking.
>
> Do I understand correctly?!?
> You are basically saying that the status of sid regarding those nine
> CVEs is yet unknown.
>
> I think that this is really worrying, taking into account that the DSA
> claims those CVEs to be fixed in sid!
> I hope that Debian Security Advisories do not include unverified
> statements! Otherwise I am afrad that users will stop trusting them!
>
> I hope that someone will soon check the status of those CVEs with
> respect to sid!
> After that, I think that _one_ of the two following things should be
> done:
>
> * update the tracker
> * issue a DSA-2000-2 that rectifies the incorrect statement included
> in DSA-2000-1
>
> Or am I completely off-track?
i stated my perspective. usually there is enough info to check, but
in this case, i personally cannot find it. i assume Moritz did, and
he based the DSA from that.
in the meantime, like i said, if someone has the motivation, they can
test the proof of concepts. or someone with confidence in the updates
can fix the tracker.
mike
Reply to: