Wrong fixed version for cairo and CVE-2009-2044?
[ BCCing cairo maintainers, if they would like to comment ]
Hi!
I'm maintaining the cairo backports, and according to the security
tracker [0], the current backport (from 1.8.8-2) should be affected by
CVE-2009-2044. I checked the patches linked from [2], and it seems to
me, the bug is already fixed in the backported version 1.8.8-2.
The security tracker currently lists 1.8.10-3 as the package fixing that
version, however that package revision doesn't mention anything like
that in the changelog; it mostly introduced udebs at that point. (Or
maybe that version was taken, as it was the first upload to unstable?)
So could it be, that the security tracker is wrong?
Best regards,
Alexander
Links:
1: http://security-tracker.debian.org/tracker/CVE-2009-2044
2: https://bugzilla.mozilla.org/show_bug.cgi?id=496265#c3
Reply to: