Bug#777456: security-tracker: DSA-2978-2 vs. tracker
Hi Francesco,
On Sun, Feb 08, 2015 at 12:35:56PM +0100, Francesco Poli (wintermute) wrote:
> Package: security-tracker
> Severity: normal
>
> Hello again,
> there seems to be a typo in the tracker page for CVE-2014-3660 [1]:
> it states that the vulnerability is fixed in jessie by
> libxml2/2.9.1+dfsg1-5 , while DSA-2978-2 [2] says that the fixed
> version is 2.9.1+dfsg1-4 ...
The situation for the update in DSA-2978-2 is actually a bit
complicated.
DSA-2978-1: Fixed CVE-2014-0191:
- wheezy: 2.8.0+dfsg1-7+wheezy1
- jessie: 2.9.1+dfsg1-4
- unstable: 2.9.1+dfsg1-4
A regression in functionality was found, so releaing updates for it.
DSA-3057-1: Fixed CVE-2014-3660:
- wheezy: 2.8.0+dfsg1-7+wheezy2
- jessie <unfixed>
- unstable: 2.9.2+dfsg1-1
libxml2 could not migrate to jessie in this version, so the fix for
CVE-2014-3660 did never reach jessie.
After that regressions in functionality were addressed with the DSA
you are mentioning. For jessie to fix the issue in CVe-2014-3660 a
pre-approval for an upload to t-p-u was opened in
https://bugs.debian.org/776748 so the version fixing CVE-2014-3660
will be correct as libxml2/2.9.1+dfsg1-5 once the package is accepted.
The entry in the tracker was only a bit "prematurely" added as the
package was not yet accepted by the release team.
So I would say (unless I now missed something) all the versions in
tracker are correct (apart we should have delayed adding 2.9.1+dfsg1-5
already, since it is not yet approved), and the advisory text itself
was a bit complicated to write up to reflect all this correctly.
So I would tend to close this bug, right away, or wait until
2.9.1+dfsg1-5 is accepted into jessie via t-p-u, but unfortuantely the
advisory text
https://lists.debian.org/debian-security-announce/2015/msg00039.html
in the list archives is now out this way.
Regards,
Salvatore
Reply to: