Hi all! Could someone perform some other little consistency checks, please? http://security-tracker.debian.net/tracker/CVE-2007-2509 does not seem to agree with http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00054.html http://security-tracker.debian.net/tracker/CVE-2007-0246 does not seem to agree with http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00056.html http://security-tracker.debian.net/tracker/CVE-2007-1745 http://security-tracker.debian.net/tracker/CVE-2007-1997 http://security-tracker.debian.net/tracker/CVE-2007-2029 don''t seem to agree with http://packages.qa.debian.org/c/clamav.html Moreover: why aren''t the three vulnerabilities marked as "fixed in testing-security" in http://security-tracker.debian.net/tracker/status/release/testing ??? Again, why isn''t CVE-2007-2057 marked as "fixed in testing-security" in http://security-tracker.debian.net/tracker/status/release/testing ??? Finally, why isn''t CVE-2007-2362 marked as "fixed in testing-security" in http://security-tracker.debian.net/tracker/status/release/testing ??? P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks. -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070525/9138b41a/attachment.pgp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Francesco Poli wrote:> Hi all! > Could someone perform some other little consistency checks, please?Sure, thanks for checking the consistency, its important!> http://security-tracker.debian.net/tracker/CVE-2007-2509 > does not seem to agree with > http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00054.htmlI''m staring at both of these and I do not see where they disagree, can you be more specific?> http://security-tracker.debian.net/tracker/CVE-2007-0246 > does not seem to agree with > http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00056.htmlThe only difference I see here is that the DSA says fixed in version "4.5.14-5", but the tracker says "4.5.14-5etch1", however this is an error in the DSA text, not in the tracker. If you look later in the DSA text, you see the package: http://security.debian.org/pool/updates/main/g/gforge-plugin-scmcvs/gforge-plugin-scmcvs_4.5.14-5etch1.dsc Clearly its -5etch1> http://security-tracker.debian.net/tracker/CVE-2007-1745 > http://security-tracker.debian.net/tracker/CVE-2007-1997 > http://security-tracker.debian.net/tracker/CVE-2007-2029 > don''t seem to agree with > http://packages.qa.debian.org/c/clamav.htmlAgain, I am having trouble seeing what doesn''t agree exactly. I am probably missing something, so please tell me what it is!> Moreover: why aren''t the three vulnerabilities marked as "fixed in > testing-security" in > http://security-tracker.debian.net/tracker/status/release/testing ???They are... maybe you are looking too quickly?> Again, why isn''t CVE-2007-2057 marked as "fixed in testing-security" in > http://security-tracker.debian.net/tracker/status/release/testing ??? > > Finally, why isn''t CVE-2007-2362 marked as "fixed in testing-security" > in > http://security-tracker.debian.net/tracker/status/release/testing ???I think this is addressed in the thread you started, "Why is "fixed in testing-security" slow to turn up in the tracker?" micah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGYfPG9n4qXRzy1ioRAjbGAJ9n6iIYOMGVRQJEYAovJGhpdEMllQCgt7s8 p3nW9FUBkikrwss0WwvdlhA=brR9 -----END PGP SIGNATURE-----
On Sat, 02 Jun 2007 16:48:38 -0600 Micah Anderson wrote: [...]> Francesco Poli wrote: > > Hi all! > > Could someone perform some other little consistency checks, please? > > Sure, thanks for checking the consistency, its important!You''re welcome! :)> > > http://security-tracker.debian.net/tracker/CVE-2007-2509 > > does not seem to agree with > > http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00054.html > > I''m staring at both of these and I do not see where they disagree, can > you be more specific?Actually they no longer disagree: I''m quite sure they used to disagree when I sent the message, though (even if I do not remember where...).> > > http://security-tracker.debian.net/tracker/CVE-2007-0246 > > does not seem to agree with > > http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00056.html > > The only difference I see here is that the DSA says fixed in version > "4.5.14-5", but the tracker says "4.5.14-5etch1", however this is an > error in the DSA text, not in the tracker. If you look later in the > DSA text, you see the package: > > http://security.debian.org/pool/updates/main/g/gforge-plugin-scmcvs/gforge-plugin-scmcvs_4.5.14-5etch1.dsc > > Clearly its -5etch1Ah OK, thanks for the clarification! :)> > > http://security-tracker.debian.net/tracker/CVE-2007-1745 > > http://security-tracker.debian.net/tracker/CVE-2007-1997 > > http://security-tracker.debian.net/tracker/CVE-2007-2029 > > don''t seem to agree with > > http://packages.qa.debian.org/c/clamav.html > > Again, I am having trouble seeing what doesn''t agree exactly. I am > probably missing something, so please tell me what it is!I was referring to the version numbers in the various Debian branches (stable, testing, unstable, ...). They seem perfectly consistent now.> > > Moreover: why aren''t the three vulnerabilities marked as "fixed in > > testing-security" in > > http://security-tracker.debian.net/tracker/status/release/testing > > ??? > > They are... maybe you are looking too quickly?Yes, as it was later explained to me that the tracker does not fetch data from repository so often...> > > Again, why isn''t CVE-2007-2057 marked as "fixed in testing-security" > > in http://security-tracker.debian.net/tracker/status/release/testing > > ??? > > > > Finally, why isn''t CVE-2007-2362 marked as "fixed in > > testing-security" in > > http://security-tracker.debian.net/tracker/status/release/testing > > ??? > > I think this is addressed in the thread you started, "Why is "fixed in > testing-security" slow to turn up in the tracker?"Definitely. Anyway, thanks for replying. -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070603/7d396b6e/attachment.pgp