Wrong fixed version for cairo and CVE-2009-2044?

To: debian-security-tracker@lists.debian.org
Subject: Wrong fixed version for cairo and CVE-2009-2044?
From: Alexander Reichle-Schmehl <tolimar@debian.org>
Date: Mon, 19 Apr 2010 15:46:38 +0200
Message-id: <[🔎] 4BCC5EBE.9020408@debian.org>

[ BCCing cairo maintainers, if they would like to comment ]

Hi!

I'm maintaining the cairo backports, and according to the securitytracker [0], the current backport (from 1.8.8-2) should be affected byCVE-2009-2044. I checked the patches linked from [2], and it seems tome, the bug is already fixed in the backported version 1.8.8-2.

The security tracker currently lists 1.8.10-3 as the package fixing thatversion, however that package revision doesn't mention anything likethat in the changelog; it mostly introduced udebs at that point. (Ormaybe that version was taken, as it was the first upload to unstable?)


So could it be, that the security tracker is wrong?


Best regards,
  Alexander


Links:
  1: http://security-tracker.debian.org/tracker/CVE-2009-2044
  2: https://bugzilla.mozilla.org/show_bug.cgi?id=496265#c3

Reply to:

Follow-Ups:
- Re: Wrong fixed version for cairo and CVE-2009-2044?
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Re: Should security tracker and PTS track terminated oldstable security issue as open?
Next by Date: Re: Wrong fixed version for cairo and CVE-2009-2044?
Previous by thread: Re: Should security tracker and PTS track terminated oldstable security issue as open?
Next by thread: Re: Wrong fixed version for cairo and CVE-2009-2044?
Index(es):
- Date
- Thread