[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2010-0286 and affected versions

* Moritz Muehlenhoff:

> On Thu, Feb 25, 2010 at 10:40:35PM +0100, Florian Weimer wrote:
>> * Holger Levsen:
>> 
>> > why does http://security-tracker.debian.org/tracker/CVE-2010-0286 lists   
>> > 4.2.8-1 in squeeze as affected? squeeze has a newer version and 4.2.8-1 is 
>> > not in Debian anywhere anymore...
>> 
>> We somehow missed the removal of the alpha architecture from squeeze.
>> Thanks for spotting this.  I will try to rectify this tomorrow.
>
> Is there a specific reason the Security Tracker is dealing with binary
> packages at all?

The reasons are mainly historic.  We used to have binary package names
in the list files.  And there wasn't a reasonably up-to-date
DD-accessible dak mirror at that time.  Actually, I've been using the
tracker as some sort of "dak ls" replacement.  Nowadays, the mirror on
merkel should be up-to-date, and I can look directly on
security-master at the security archive, so the necessity is indeed
gone.

> All the information we care about is based on the source packages
> AFAICS.

Right, it should be feasible to remove the binary package files.  I
will look into this, too.
Reply to: