Re: Wrong fixed version for cairo and CVE-2009-2044?

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Tue, 20 Apr 2010 14:34:04 +0200, Gerfried Fuchs wrote:
> * Michael Gilbert <michael.s.gilbert@gmail.com> [2010-04-19 17:15:53 CEST]:
> > On Mon, 19 Apr 2010 15:46:38 +0200, Alexander Reichle-Schmehl wrote:
> > > So could it be, that the security tracker is wrong?
> > 
> > yes, that's a possibility.  i only checked back to 1.8.10-3 since that
> > was the squeeze version.  i usually only check the officially supported
> > releases (stable, testing, and kind of unstable), so if you've found
> > the problem fixed in backports, we can update the tracker, but that
> > won't normally be checked (unless backports support becomes official).
> 
>  This sounds reasonable - but actually the changelog isn't too cryptic
> here and I don't see anything in either 1.8.10-3 nor even 1.8.10-2 that
> would cause them to fix anything security related. I know that it can
> only be a wish, but could you at least try to read the according
> changelogs to see wether the version in squeeze could at least remotely
> have something to do with that the issue has gone away, and try to get
> more accurate informations in the tracker with minimum effort.

i don't base my research on changelog entries.  i download the source,
and check.  it would be a significant additional effort to do this for
backports for every issue, and i don't have the time or interest for
that. however, i understand that will become necessary if/when backports
support becomes official, and i will commit to it then.

i would suggest that those interested in backports right now keep an eye
on recently checked issues, and if they arent' closed in backports,
then check the source there, and correct the tracker as needed.

mike