[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Wrong fixed version for cairo and CVE-2009-2044?

[ BCCing cairo maintainers, if they would like to comment ]


I'm maintaining the cairo backports, and according to the security tracker [0], the current backport (from 1.8.8-2) should be affected by CVE-2009-2044. I checked the patches linked from [2], and it seems to me, the bug is already fixed in the backported version 1.8.8-2.

The security tracker currently lists 1.8.10-3 as the package fixing that version, however that package revision doesn't mention anything like that in the changelog; it mostly introduced udebs at that point. (Or maybe that version was taken, as it was the first upload to unstable?)

So could it be, that the security tracker is wrong?

Best regards,

  1: http://security-tracker.debian.org/tracker/CVE-2009-2044
  2: https://bugzilla.mozilla.org/show_bug.cgi?id=496265#c3

Reply to: