Re: Wrong fixed version for cairo and CVE-2009-2044?

To: debian-security-tracker@lists.debian.org
Subject: Re: Wrong fixed version for cairo and CVE-2009-2044?
From: Gerfried Fuchs <rhonda@deb.at>
Date: Tue, 20 Apr 2010 16:41:04 +0200
Message-id: <[🔎] 20100420144104.GA2617@anguilla.debian.or.at>
Mail-followup-to: debian-security-tracker@lists.debian.org
In-reply-to: <[🔎] 20100420102013.e29eafc8.michael.s.gilbert@gmail.com>
References: <[🔎] 4BCC5EBE.9020408@debian.org> <[🔎] 20100419111553.4911385c.michael.s.gilbert@gmail.com> <[🔎] 20100420123404.GA9737@anguilla.debian.or.at> <[🔎] 20100420102013.e29eafc8.michael.s.gilbert@gmail.com>

* Michael Gilbert <michael.s.gilbert@gmail.com> [2010-04-20 16:20:13 CEST]:
> On Tue, 20 Apr 2010 14:34:04 +0200, Gerfried Fuchs wrote:
> >  This sounds reasonable - but actually the changelog isn't too cryptic
> > here and I don't see anything in either 1.8.10-3 nor even 1.8.10-2 that
> > would cause them to fix anything security related. I know that it can
> > only be a wish, but could you at least try to read the according
> > changelogs to see wether the version in squeeze could at least remotely
> > have something to do with that the issue has gone away, and try to get
> > more accurate informations in the tracker with minimum effort.
> 
> i don't base my research on changelog entries.  i download the source,
> and check. it would be a significant additional effort to do this for
> backports for every issue, and i don't have the time or interest for
> that.

 The changelog is part of the source, noone asked to download the
backports source, too. Actually the difference there is suspected to be
non-significant with respect to the same version that was in testing at
the time when the backporting happened.

 Actually makes me wonder: Did upstream not provide informations in
which of their release they fixed the issue? Usually they do, which
actually would be a good idea for a quick ask and avoid even most
additional effort. I don't buy the "significant additional effort"
reasoning, sorry - a quick check in the included upstream ChangeLog file
concluded that the fix was in since their 1.7.6 release, which predates
at least the 1.8.2-1 Debian version, also according to upstream
changelog.

> i would suggest that those interested in backports right now keep an eye
> on recently checked issues, and if they arent' closed in backports,
> then check the source there, and correct the tracker as needed.

 It's moren than "a significant additional effort" if the version
information in the tracker can't be trusted, and according to your
approach shouldn't be trusted. This is more than just a pain, sorry.

 Thanks anyway for your efforts,
Rhonda

Reply to:

Follow-Ups:
- Re: Wrong fixed version for cairo and CVE-2009-2044?
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: Wrong fixed version for cairo and CVE-2009-2044?
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Wrong fixed version for cairo and CVE-2009-2044?
  - From: Alexander Reichle-Schmehl <tolimar@debian.org>
- Re: Wrong fixed version for cairo and CVE-2009-2044?
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: Wrong fixed version for cairo and CVE-2009-2044?
  - From: Gerfried Fuchs <rhonda@deb.at>
- Re: Wrong fixed version for cairo and CVE-2009-2044?
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Re: Wrong fixed version for cairo and CVE-2009-2044?
Next by Date: Re: Wrong fixed version for cairo and CVE-2009-2044?
Previous by thread: Re: Wrong fixed version for cairo and CVE-2009-2044?
Next by thread: Re: Wrong fixed version for cairo and CVE-2009-2044?
Index(es):
- Date
- Thread