[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DSA-2189-1 vs. tracker

On Fri, 11 Mar 2011 17:16:20 -0500 Michael Gilbert wrote:

> On Fri, 11 Mar 2011 18:36:38 +0100 Francesco Poli wrote:
> > Hi all,
> > everything seems to be OK with the DSA-2189-1 [1] tracker page [2] and
> > its associated CVE numbers.
> > Some CVE numbers were apparently assigned after the release of the DSA.
> > I seem to be able to map the CVE-less vulnerabilities to the CVE
> > numbers mentioned in the tracker [2], except for the first two:
> If you can specify which issues these are, and if you've checked the
> source to confirm, we can make these updates.

No, no, there was apparently a misunderstanding.
I was unclear, sorry.

What I meant is that some CVE numbers are not mentioned in the DSA, but
have already been recorded in the tracker as fixed by the DSA itself.
When I saw these additional CVE numbers on the tracker, I thought that
they could be some of the CVE-less vulnerabilities mentioned in the DSA
(which were in the meanwhile assigned a CVE id).
By reading the CVE descriptions, I managed to map the additional CVE
numbers to the CVE-less issues, but two seem to be still missing.

I hope it's clearer, now.

> >  Out-of-bounds read in text searching [69640]
> >  Memory corruption in SVG fonts. [72134]
> > 
> > Are these two still CVE-less?
> > If so, I cannot find any corresponding TEMP entry in the tracker [3].
> > Where are they? Should they be added to the tracker?
> We won't necessarily enter cve-less issues in the tracker. However,
> once these do get assigned ids we will make sure they get recorded as
> fixed in this dsa.

Perfect, that's all I wanted to know.

 New GnuPG key, see the transition document!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

Attachment: pgp1O_WlZSHYn.pgp
Description: PGP signature

Reply to: