Francesco Poli
2007-May-31 21:24 UTC
[Secure-testing-team] Why is "fixed in testing-security" slow to turn up in the tracker?
Hi! The following three pages http://security-tracker.debian.net/tracker/CVE-2007-2444 http://security-tracker.debian.net/tracker/CVE-2007-2446 http://security-tracker.debian.net/tracker/CVE-2007-2447 seem to be OK and consistent with the related DSA and DTSA. However, http://security-tracker.debian.net/tracker/status/release/testing does not yet show those three vulnerabilities as "fixed in testing-security". Why does this seem to be often updated in delay w.r.t. the other data? P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks. -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070531/a5d02a70/attachment.pgp
Stefan Fritsch
2007-May-31 21:38 UTC
[Secure-testing-team] Why is "fixed in testing-security" slow to turn up in the tracker?
Hi, On Donnerstag, 31. Mai 2007, Francesco Poli wrote:> The following three pages > http://security-tracker.debian.net/tracker/CVE-2007-2444 > http://security-tracker.debian.net/tracker/CVE-2007-2446 > http://security-tracker.debian.net/tracker/CVE-2007-2447 > seem to be OK and consistent with the related DSA and DTSA.They also say that lenny is vulnerable.> > However, > http://security-tracker.debian.net/tracker/status/release/testing > does not yet show those three vulnerabilities as "fixed in > testing-security". > Why does this seem to be often updated in delay w.r.t. the other > data?The data which vulnerability is fixed in which version is pushed to the tracker (by the svn commit). However, the data which versions are in which distributions gets only updated when the tracker downloads the Packages files, which does not happen too often (once a day?). Therefore, at the moment the tracker knows that the issues are fixed in version 3.0.24-6+lenny3, but it doesn''t know yet that this version is in testing-security. HTH. Cheers, Stefan
Francesco Poli
2007-May-31 21:49 UTC
[Secure-testing-team] Why is "fixed in testing-security" slow to turn up in the tracker?
On Thu, 31 May 2007 23:38:18 +0200 Stefan Fritsch wrote:> On Donnerstag, 31. Mai 2007, Francesco Poli wrote:[...]> > Why does this seem to be often updated in delay w.r.t. the other > > data? > > The data which vulnerability is fixed in which version is pushed to > the tracker (by the svn commit). However, the data which versions are > in which distributions gets only updated when the tracker downloads > the Packages files, which does not happen too often (once a day?). > > Therefore, at the moment the tracker knows that the issues are fixed > in version 3.0.24-6+lenny3, but it doesn''t know yet that this version > is in testing-security.Ah, I see: so I expect to see those holes marked as "fixed in testing-security" tomorrow... Thank you very much for the explanation (and for enhancing the security of the Debian testing branch, of course!!!). Bye. -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070531/e09441f1/attachment.pgp
Florian Weimer
2007-Jun-01 08:59 UTC
[Secure-testing-team] Why is "fixed in testing-security" slow to turn up in the tracker?
* Stefan Fritsch:> The data which vulnerability is fixed in which version is pushed to > the tracker (by the svn commit). However, the data which versions are > in which distributions gets only updated when the tracker downloads > the Packages files, which does not happen too often (once a day?).I used to trigger on the DTSA mailings, but AFAICT the mailing list is mostly dead. I''m going to switch to a new server in mid-June, and after that, I can raise the frequency of updates.
Micah Anderson
2007-Jun-02 23:43 UTC
[Secure-testing-team] Why is "fixed in testing-security" slow to turn up in the tracker?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Florian Weimer wrote:> * Stefan Fritsch: > >> The data which vulnerability is fixed in which version is pushed to >> the tracker (by the svn commit). However, the data which versions are >> in which distributions gets only updated when the tracker downloads >> the Packages files, which does not happen too often (once a day?). > > I used to trigger on the DTSA mailings, but AFAICT the mailing list is > mostly dead.Only because there hasn''t been any DTSAs recently, but Stefan has changed that recently, and a number of posts have gone through in the past weeks. Maybe it makes sense to trigger on these again? Micah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGYgCr9n4qXRzy1ioRApVBAKCV20Q2FXtTl5Q2aIHE4wTJmV+jlQCfZcJo 31RBrK4aMxsx7eF1KHYrgMw=NYPW -----END PGP SIGNATURE-----