On Fri, 13 May 2011 18:38:26 +0200 Florian Weimer wrote: > * Francesco Poli: [...] > > Can the CVE be associated to the DSA and also have the additional info > > that it was fixed for squeeze in a version which is an ancestor of the > > squeeze version? > > It is reflected in the page for CVE-2009-2939: > > <http://security-tracker.debian.org/tracker/CVE-2009-2939> I see, and everything seems to be correct. > > The information for CVEs is typically more accurate because often, > DSAs fix several vulnerabilities in a package, and sometimes, this > cannot be expressed adequately in a single fixed version number. I usually check single CVE tracker pages, as well. In this specific case, I just wondered why the link between this CVE and the corresponding DSA was missing on the tracker: but now you (and Mike) have explained. So, in summary, everything seems to be correct, taking the current limitations of the tracker into account. Many thanks for clarifying! Bye. -- http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt New GnuPG key, see the transition document! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
Attachment:
pgpXi_G28e9Uo.pgp
Description: PGP signature