[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#508031: marked as done (Tracking vulnerabilities that have already been patched in other distributions)

Your message dated Sat, 17 Jan 2015 16:03:26 +0100
with message-id <20150117150326.GA21958@pisco.westfalen.local>
and subject line closing
has caused the Debian Bug report #508031,
regarding Tracking vulnerabilities that have already been patched in other distributions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

508031: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508031
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: security-tracker
Severity: important

Oftentimes, a fix gets released for other distributions, and then it
takes weeks or months for Debian to apply the same fix.  I wonder if
this is primarily a communication issue and whether including this
type of information in the tracker would help reduce this lag.  The
intent would be to increase the security team/package maintainers
awareness of existing patches.

Some current examples (not a comprehensive list, I only spent 5
minutes on this):

CVE-2008-4552: fixed in ubuntu [1]
CVE-2008-2379: fixed in fedora [2]

I'm considering the severity important since leaving user's systems
vulnerable while a fix exists is a very bad thing.

If I get the time, I may look at trying to add this myself, but no
guarantees.  So if anyone else is interested in the problem, go for


[1] http://www.ubuntu.com/usn/USN-687-1
[2] https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00232.html

--- End Message ---
--- Begin Message ---
We've discussed this during the security team meeting and decided to
close the bug: There are no other distributions which publish parseable
data and we already have links to other bug trackers.

--- End Message ---

Reply to: