Hi all!
According to [1], the described issue is fixed in sash:
| sash (PTS) woody 3.4-8.2 fixed
| sarge, sarge (security) 3.7-5sarge1 fixed
| etch, sid 3.7-7 fixed
On the other hand, bug #318246[2] is still open and seems to state
that the issue is still unfixed in sarge.
Is this an inconsistency?
Moreover, according to [1], the issue is unfixed in mysql-dfsg-4.1:
| mysql-dfsg-4.1 (PTS) sarge 4.1.11a-4sarge2 vulnerable
| sarge (security) 4.1.11a-4sarge4 vulnerable
On the other hand, bug #319858[3] claims that mysql-dfsg-4.1 is not
affected.
Who''s right? Who''s wrong?
Last question: why is bug #332236[4] listed in [1]? It doesn''t seem
to be related to CVE-2005-2096...
[1] http://idssi.enyo.de/tracker/CVE-2005-2096
[2] http://bugs.debian.org/318246
[3] http://bugs.debian.org/319858
[4] http://bugs.debian.org/332236
P.S.: As usual, I would like to be Cc:ed on replies, as I am not a
subscriber of the list. Thanks!
--
:-( This Universe is buggy! Where''s the Creator''s BTS?
;-)
......................................................................
Francesco Poli GnuPG Key ID = DD6DFCF4
Key fingerprint = C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060712/9a421313/attachment.pgp
Francesco Poli wrote:> Hi all! > > According to [1], the described issue is fixed in sash: > > | sash (PTS) woody 3.4-8.2 fixed > | sarge, sarge (security) 3.7-5sarge1 fixed > | etch, sid 3.7-7 fixed > > On the other hand, bug #318246[2] is still open and seems to state > that the issue is still unfixed in sarge. > Is this an inconsistency?The DSA was issued after the last bug activity, the maintainer should have closed it. The Security Team doesn''t close bugs for the maintainers.> Moreover, according to [1], the issue is unfixed in mysql-dfsg-4.1: > > | mysql-dfsg-4.1 (PTS) sarge 4.1.11a-4sarge2 vulnerable > | sarge (security) 4.1.11a-4sarge4 vulnerable > > On the other hand, bug #319858[3] claims that mysql-dfsg-4.1 is not > affected. > Who''s right? Who''s wrong?The unfixed source is still present, but it''s not compiled into the binary package. Thus it''s marked as "unimportant". Cheers, Moritz
On Wed, 12 Jul 2006 22:29:03 +0200 Moritz Muehlenhoff wrote:> Francesco Poli wrote:[...]> > According to [1], the described issue is fixed in sash:[...]> > On the other hand, bug #318246[2] is still open and seems to state > > that the issue is still unfixed in sarge. > > Is this an inconsistency? > > The DSA was issued after the last bug activity, the maintainer should > have closed it. The Security Team doesn''t close bugs for the > maintainers.Ah, I see: I''m notifying the maintainer just now...> > > Moreover, according to [1], the issue is unfixed in mysql-dfsg-4.1:[...]> > On the other hand, bug #319858[3] claims that mysql-dfsg-4.1 is not > > affected. > > Who''s right? Who''s wrong? > > The unfixed source is still present, but it''s not compiled into the > binary package. Thus it''s marked as "unimportant".Ah, right, I didn''t notice. Sorry for the noise. Thanks. -- :-( This Universe is buggy! Where''s the Creator''s BTS? ;-) ...................................................................... Francesco Poli GnuPG Key ID = DD6DFCF4 Key fingerprint = C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060713/a2f50d82/attachment.pgp