On Thu, 18 Feb 2010 22:40:31 -0500 Michael Gilbert wrote: > On Fri, 19 Feb 2010 00:53:40 +0100 Francesco Poli wrote: [...] > > The DSA claims that nine vulnerabilities are fixed in version 4:0.5 > > +svn20090706-5 for sid, but the CVE tracker pages (linked from the DSA > > tracker page [2]) disagree. [...] > > the maintainer commited a bunch of patches in -3, and stated that the > issues were fixed, but i can't find enough info to verify this yet, so > i would not be confident in changing the tracking. Do I understand correctly?!? You are basically saying that the status of sid regarding those nine CVEs is yet unknown. I think that this is really worrying, taking into account that the DSA claims those CVEs to be fixed in sid! I hope that Debian Security Advisories do not include unverified statements! Otherwise I am afrad that users will stop trusting them! I hope that someone will soon check the status of those CVEs with respect to sid! After that, I think that _one_ of the two following things should be done: * update the tracker * issue a DSA-2000-2 that rectifies the incorrect statement included in DSA-2000-1 Or am I completely off-track? -- http://www.inventati.org/frx/progs/scripts/pdebuild-hooks.html Need some pdebuild hook scripts? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgp8iOhrVxI7Q.pgp
Description: PGP signature