[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wrong fixed version for cairo and CVE-2009-2044?

Gerfried Fuchs wrote:
>  Actually makes me wonder: Did upstream not provide informations in
> which of their release they fixed the issue? 

No, they did not. This security issue was reported/fixed for Firefox
by Mozilla in their internal cairo copy:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2044

>  It's moren than "a significant additional effort" if the version
> information in the tracker can't be trusted, and according to your
> approach shouldn't be trusted. This is more than just a pain, sorry.

The version noted in the tracker is taken from changelogs if the
issue can be clearly identified. If that is not the case - as with
CVE-2009-2044 - we check the code, but don't copy information from
security databases, CVE descriptions and other poorly maintained
information sources.

Cheers,
        Moritz
Reply to: