Re: DSA-2233-1 vs. tracker

To: debian-security-tracker@lists.debian.org
Subject: Re: DSA-2233-1 vs. tracker
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 13 May 2011 18:38:26 +0200
Message-id: <[🔎] 878vuazhbx.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20110513002547.596c234a.invernomuto@paranoici.org> (Francesco Poli's message of "Fri, 13 May 2011 00:25:47 +0200")
References: <[🔎] 20110511190053.9c8eb23b.invernomuto@paranoici.org> <[🔎] 87ei43n0dv.fsf@mid.deneb.enyo.de> <[🔎] 20110513002547.596c234a.invernomuto@paranoici.org>

* Francesco Poli:

> On Thu, 12 May 2011 22:13:00 +0200 Florian Weimer wrote:
>
>> * Francesco Poli:
>> 
>> > It seems to me that the DSA-2233-1 tracker page [1] lacks the reference
>> > to CVE-2009-2939, which is instead present in the actual DSA [2].
>> >
>> > Is there a reason for this, or is it just an inconsistency (that should
>> > be fixed)?
>> 
>> CVE-2009-2939 only affects lenny, and we currently lack a way to
>> express in a better way.
>
> Can the CVE be associated to the DSA and also have the additional info
> that it was fixed for squeeze in a version which is an ancestor of the
> squeeze version?

It is reflected in the page for CVE-2009-2939:

  <http://security-tracker.debian.org/tracker/CVE-2009-2939>

The information for CVEs is typically more accurate because often,
DSAs fix several vulnerabilities in a package, and sometimes, this
cannot be expressed adequately in a single fixed version number.

Reply to:

Follow-Ups:
- Re: DSA-2233-1 vs. tracker
  - From: Francesco Poli <invernomuto@paranoici.org>

References:
- DSA-2233-1 vs. tracker
  - From: Francesco Poli <invernomuto@paranoici.org>
- Re: DSA-2233-1 vs. tracker
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: DSA-2233-1 vs. tracker
  - From: Francesco Poli <invernomuto@paranoici.org>

Prev by Date: Re: DSA-2233-1 vs. tracker
Next by Date: Re: DSA-2233-1 vs. tracker
Previous by thread: Re: DSA-2233-1 vs. tracker
Next by thread: Re: DSA-2233-1 vs. tracker
Index(es):
- Date
- Thread