Re: Wrong fixed version for cairo and CVE-2009-2044?
Gerfried Fuchs wrote:
> Actually makes me wonder: Did upstream not provide informations in
> which of their release they fixed the issue?
No, they did not. This security issue was reported/fixed for Firefox
by Mozilla in their internal cairo copy:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2044
> It's moren than "a significant additional effort" if the version
> information in the tracker can't be trusted, and according to your
> approach shouldn't be trusted. This is more than just a pain, sorry.
The version noted in the tracker is taken from changelogs if the
issue can be clearly identified. If that is not the case - as with
CVE-2009-2044 - we check the code, but don't copy information from
security databases, CVE descriptions and other poorly maintained
information sources.
Cheers,
Moritz
Reply to: