Secure testing team - May 2007 - Squirrelmail messed up on the tracker?

Hi!

I cannot understand whether the security bug tracker[1] is messing
something up with squirrelmail or maybe I''m just too tired...
The tracker page[2] for CVE-2007-1262 says:

Source Package       Release           Version      Status
squirrelmail (PTS)   sarge             2:1.4.4-10   fixed
                     sarge (security)  2:1.4.4-11   fixed
                     etch              2:1.4.9a-1   fixed
                     lenny, sid        2:1.4.9a-1   vulnerable
                     etch (security)   2:1.4.9a-2  fixed

On the other hand, DSA 1290-1[3] claims that the problem has been fixed
in
version 1.4.4-11  for sarge
version 1.4.9a-2  for etch
version 1.4.10a-1 for sid
and the PTS shows[4] the following versions:

   Oldstable                    2:1.4.4-10
   Oldstable Security Updates   2:1.4.4-11
   Stable                       2:1.4.9a-1
   Testing                      2:1.4.10a-1
   Unstable                     2:1.4.10a-1
   Experimental                 2:1.5.1-5

What''s wrong?

[1] http://security-tracker.debian.net/tracker/
[2] http://security-tracker.debian.net/tracker/CVE-2007-1262
[3]
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00046.html
[4] http://packages.qa.debian.org/s/squirrelmail.html


P.S.: Please Cc: me on replies, as I am not a list subscriber.  Thanks.


-- 
 http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html
 Need to read a Debian testing installation walk-through?
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070514/f487356d/attachment.pgp

On Montag, 14. Mai 2007, Francesco Poli wrote:
> On the other hand, DSA 1290-1[3] claims that the problem has been
> fixed in
> version 1.4.4-11  for sarge
> version 1.4.9a-2  for etch
> version 1.4.10a-1 for sid
> What''s wrong?
There was a missing epoch in the DSA and in the tracker. Thanks for 
notifying us.

I have fixed the information in the tracker. Can somebody fix the DSA 
on security.d.o?

Cheers,
Stefan

Stefan Fritsch wrote:
> On Montag, 14. Mai 2007, Francesco Poli wrote:
>> On the other hand, DSA 1290-1[3] claims that the problem has been
>> fixed in
>> version 1.4.4-11  for sarge
>> version 1.4.9a-2  for etch
>> version 1.4.10a-1 for sid
> 
>> What''s wrong?
> 
> There was a missing epoch in the DSA and in the tracker. Thanks for 
> notifying us.
> 
> I have fixed the information in the tracker. Can somebody fix the DSA 
> on security.d.o?
I guess you mean on www.d.o/security? If so, I fixed it :-)

Cheers

Luk

On Mon, 14 May 2007 22:52:28 +0200 Stefan Fritsch wrote:
> On Montag, 14. Mai 2007, Francesco Poli wrote:
> > On the other hand, DSA 1290-1[3] claims that the problem has been
> > fixed in
> > version 1.4.4-11  for sarge
> > version 1.4.9a-2  for etch
> > version 1.4.10a-1 for sid
> 
> > What''s wrong?
> 
> There was a missing epoch in the DSA and in the tracker. Thanks for 
> notifying us.
You''re welcome!  :)
> 
> I have fixed the information in the tracker. Can somebody fix the DSA 
> on security.d.o?
There''s still something wrong, it seems.
Testing and unstable are still claimed to be vulnerable by the tracker,
but the DSA claims that the problem is fixed in version 2:1.4.10a-1,
which is already in unstable and testing, according to the PTS...


P.S.: Please go on Cc:ing me on replies, as I am not a list subscriber. 
      Thanks.

-- 
 http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html
 Need to read a Debian testing installation walk-through?
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070515/a7201c18/attachment.pgp

* Stefan Fritsch:
> I have fixed the information in the tracker. Can somebody fix the DSA 
> on security.d.o?
DSAs traditionally do not mention epochs.  dpkg hides them from end
users as well. 8-/

I''m not sure if that should be changed.

On Tuesday 15 May 2007, Francesco Poli wrote:
> There''s still something wrong, it seems.
> Testing and unstable are still claimed to be vulnerable by the
> tracker, but the DSA claims that the problem is fixed in version
> 2:1.4.10a-1, which is already in unstable and testing, according to
> the PTS...

it seems that was just the tracker not being very fast in picking up 
new package versions from unstable. It''s updated now.

The upload was on May 10, so it probably appeared in the Packages file 
on May 11. I don''t think it is normally that slow, but I don''t
know
how often the package lists are downloaded.

Florian Weimer wrote:
> * Stefan Fritsch:
> 
> > I have fixed the information in the tracker. Can somebody fix the DSA 
> > on security.d.o?
> 
> DSAs traditionally do not mention epochs.  dpkg hides them from end
> users as well. 8-/
> 
> I''m not sure if that should be changed.
Yes, epochs are being kept out of DSA texts.

Cheers,
        Moritz

On Tue, 15 May 2007 18:12:14 +0200 Stefan Fritsch wrote:
> On Tuesday 15 May 2007, Francesco Poli wrote:
> > There''s still something wrong, it seems.
> > Testing and unstable are still claimed to be vulnerable by the
> > tracker, but the DSA claims that the problem is fixed in version
> > 2:1.4.10a-1, which is already in unstable and testing, according to
> > the PTS...
> 
> 
> it seems that was just the tracker not being very fast in picking up 
> new package versions from unstable. It''s updated now.
Yes, everything about CVE-2007-1262 seems to be consistent now.

Thanks for maintaining such a useful resource as the security bug
tracker!  :)


-- 
 http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html
 Need to read a Debian testing installation walk-through?
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070515/5d86083a/attachment.pgp