[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 3258-1] quassel security update

Hi,

On Wed, May 13, 2015 at 07:43:47PM +0800, Paul Wise wrote:
> On Wed, May 13, 2015 at 5:26 PM, Dominic Hargreaves wrote:
> 
> > As far as I can tell from
> >
> > https://security-tracker.debian.org/tracker/CVE-2013-4422
> >
> > wheezy wasn't affected by the original CVE since the version of QT
> > there is < 4.8.5. Is that correct? If so, what's the right way to mark this
> > fact in the security-tracker data?
> 
> Add something like the third line here to data/CVE/list:
> 
> CVE-2013-4422 (SQL injection vulnerability in Quassel IRC before
> 0.9.1, when Qt 4.8.5 ...)
>   - quassel 0.9.1-1
>   [wheezy] - quassel <not-affected> (Vulnerable code not present)

<not-affected> (Vulnerable code not present) would not be correct,
since the issue appears if one would use qt4 with backported fix
https://bugreports.qt-project.org/browse/QTBUG-30076 . But it can be
marked as "unimportant" saying that for (now) binary packages are
"unaffected" since in Debian QTBUG-30076 is not backported to wheezy.

Or just leave it that way, the notes makes clear when the issue
applies to the binary packages as well.

Regards,
Salvatore
Reply to: