not listing -2 DSA's in data/DSA/list
Hi all,
On Tue, May 18, 2010 00:54, Michael Gilbert wrote:
> Author: gilbert-guest
> Date: 2010-05-17 22:54:10 +0000 (Mon, 17 May 2010)
> New Revision: 14698
>
> Modified:
> data/CVE/list
> data/DSA/list
> Log:
> NFUs, new issues, and dsa-2038-2
> Modified: data/DSA/list
> ===================================================================
> --- data/DSA/list 2010-05-17 21:15:08 UTC (rev 14697)
> +++ data/DSA/list 2010-05-17 22:54:10 UTC (rev 14698)
> @@ -1,3 +1,6 @@
> +[17 May 2010] DSA-2038-2 pidgin - regression fix
> + {CVE-2010-0420 CVE-2010-0423}
> + [lenny] - pidgin 2.4.3-4lenny7
> [17 May 2010] DSA-2047-1 aria2 - directory traversal
> {CVE-2010-1512}
> [lenny] - aria2 0.14.0-1+lenny2
It is by design that the automatic dsa2list-script skips updates to
existing DSA's ("-2"'s).
The update DSA-2038-2 is a regression fix because functionality was broken
by the DSA-2038-1 in a way that does not impact security. The majority of
-2 releases are such fixes; only occasionally there's an incomplete fix
and the -2 is necessary to remain secure.
It doesn't make sense to me to add such non-security regression fixes to
the tracker, because this will make the tracker display that DSA-2038-2 /
pidgin 2.4.3-4lenny7 is necessary to be not vulnerable against
CVE-2010-0420 and CVE-2010-0423. This is not the case, as systems with
2.4.3-4lenny6 are secure, just have a non-security bug (which may not
impact them at all).
I would therefore like to stress once more that we do not add -2 DSA's to
the tracker unless they have an actual security impact, that is, they
correct an incomplete fix for a vulnerability. Else we're communicating
things about which version fixes a vulnerability that aren't accurate.
cheers,
Thijs
Reply to: