Bug#903816: marked as done (security-tracker: CVE-2017-17689 vs. tracker)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 15 Jul 2018 13:38:52 +0200
with message-id <20180715113852.GA7817@eldamar.local>
and subject line Re: Bug#903816: security-tracker: CVE-2017-17689 vs. tracker
has caused the Debian Bug report #903816,
regarding security-tracker: CVE-2017-17689 vs. tracker
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
903816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903816
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: security-tracker: CVE-2017-17689 vs. tracker
• From: "Francesco Poli (wintermute)" <invernomuto@paranoici.org>
• Date: Sun, 15 Jul 2018 10:45:38 +0200
• Message-id: <[🔎] 153164433871.8210.6226667058104449620.reportbug@crunch>

Package: security-tracker
Severity: normal

Hello everyone!

According to [DSA-4244-1] thunderbird/1:52.9.1-1~deb9u1 fixes
CVE-2017-17689 in stretch (security), among other vulnerabilities.

However the tracker page for [CVE-2017-17689] seems to disagree,
while, on the other hand, referencing bug [#898631], which is claimed
to be fixed in oldstable, stable, testing, and unstable.

But please note that bug [#898631] does not mention CVE-2017-17689
at all!

Oh what a headache!
Which is wrong and which is right?

Could you please clarify and update the tracker data, if needed?

Thanks for your time!

[DSA-4244-1]: <https://lists.debian.org/debian-security-announce/2018/msg00173.html>
[CVE-2017-17689]: <https://security-tracker.debian.org/tracker/CVE-2017-17689>
[#898631]: <https://bugs.debian.org/898631>

--- End Message ---

--- Begin Message ---

• To: "Francesco Poli (wintermute)" <invernomuto@paranoici.org>, 903816-done@bugs.debian.org, jmm@debian.org
• Subject: Re: Bug#903816: security-tracker: CVE-2017-17689 vs. tracker
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 15 Jul 2018 13:38:52 +0200
• Message-id: <20180715113852.GA7817@eldamar.local>
• In-reply-to: <[🔎] 153164433871.8210.6226667058104449620.reportbug@crunch>
• References: <[🔎] 153164433871.8210.6226667058104449620.reportbug@crunch>

On Sun, Jul 15, 2018 at 10:45:38AM +0200, Francesco Poli (wintermute) wrote:
> Package: security-tracker
> Severity: normal
> 
> Hello everyone!
> 
> According to [DSA-4244-1] thunderbird/1:52.9.1-1~deb9u1 fixes
> CVE-2017-17689 in stretch (security), among other vulnerabilities.
> 
> However the tracker page for [CVE-2017-17689] seems to disagree,
> while, on the other hand, referencing bug [#898631], which is claimed
> to be fixed in oldstable, stable, testing, and unstable.
> 
> But please note that bug [#898631] does not mention CVE-2017-17689
> at all!
> 
> Oh what a headache!
> Which is wrong and which is right?
> 
> Could you please clarify and update the tracker data, if needed?
> 
> Thanks for your time!
> 
> [DSA-4244-1]: <https://lists.debian.org/debian-security-announce/2018/msg00173.html>
> [CVE-2017-17689]: <https://security-tracker.debian.org/tracker/CVE-2017-17689>
> [#898631]: <https://bugs.debian.org/898631>

In short, the tracker is ocrrect. The initial DSA mail did contain the
mention of the CVE-2017-17689, but it was wrongly listed. This is why
it was reverted in

https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b041892b1d953fabb4ef8636c02b427a2771663

and the website is as well correct (the mail obvioulsy cannot be fixed
retrospecitively).

Regards,
Salvatore

--- End Message ---