Re: [SECURITY] [DSA 3258-1] quassel security update
Hi,
On Wed, May 13, 2015 at 07:43:47PM +0800, Paul Wise wrote:
> On Wed, May 13, 2015 at 5:26 PM, Dominic Hargreaves wrote:
>
> > As far as I can tell from
> >
> > https://security-tracker.debian.org/tracker/CVE-2013-4422
> >
> > wheezy wasn't affected by the original CVE since the version of QT
> > there is < 4.8.5. Is that correct? If so, what's the right way to mark this
> > fact in the security-tracker data?
>
> Add something like the third line here to data/CVE/list:
>
> CVE-2013-4422 (SQL injection vulnerability in Quassel IRC before
> 0.9.1, when Qt 4.8.5 ...)
> - quassel 0.9.1-1
> [wheezy] - quassel <not-affected> (Vulnerable code not present)
<not-affected> (Vulnerable code not present) would not be correct,
since the issue appears if one would use qt4 with backported fix
https://bugreports.qt-project.org/browse/QTBUG-30076 . But it can be
marked as "unimportant" saying that for (now) binary packages are
"unaffected" since in Debian QTBUG-30076 is not backported to wheezy.
Or just leave it that way, the notes makes clear when the issue
applies to the binary packages as well.
Regards,
Salvatore
Reply to: