Hi!
It seems to me that the security bug tracker[1] is inconsistent with DSA
1300-1...
The DSA[2] states that six iceape vulnerabilities are:
* unfixed in sarge
* fixed by version 1.0.9-0etch1 in etch
* still unfixed in sid
The tracker seems to disagree, though. Out of six vulnerabilities,
one[3] is claimed to be "not known to" affect Debian (with a note that
says "check"), another[4] is claimed to be NOT-FOR-US ("No
practical
security implications"), and the remaining four[5][6][7][8] are claimed
to affect sarge, etch, etch (security), lenny, and sid.
The tracker seems to correctly know which versions are in which Debian
branch, hence I don''t think that the problem lies in delayed fetch of
Packages.gz...
What''s wrong?
[1] http://security-tracker.debian.net/tracker/
[2]
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00060.html
[3] http://security-tracker.debian.net/tracker/CVE-2007-1362
[4] http://security-tracker.debian.net/tracker/CVE-2007-1558
[5] http://security-tracker.debian.net/tracker/CVE-2007-2867
[6] http://security-tracker.debian.net/tracker/CVE-2007-2868
[7] http://security-tracker.debian.net/tracker/CVE-2007-2870
[8] http://security-tracker.debian.net/tracker/CVE-2007-2871
P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks.
--
http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html
Need to read a Debian testing installation walk-through?
..................................................... Francesco Poli .
GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070608/43bd1715/attachment.pgp
Hi Francesco On Freitag, 8. Juni 2007, Francesco Poli wrote:> one[3] is claimed to be "not known to" affect Debian (with a note > that says "check"),This is the message one gets if no information about an issue has been entered in the tracker, yet. This has been fixed in the meantime.> another[4] is claimed to be NOT-FOR-US ("No > practical security implications"),This is true, but it was still fixed in the DSA, so there was no reason not to mention it in the DSA.> and the remaining > four[5][6][7][8] are claimed to affect sarge, etch, etch > (security), lenny, and sid.As with the gimp DSA, the iceape DSA was entered into the tracker a bit later (this is done by hand). I think the info now is correct.> [1] http://security-tracker.debian.net/tracker/ > [2] > http://lists.debian.org/debian-security-announce/debian-security-an >nounce-2007/msg00060.html [3] > http://security-tracker.debian.net/tracker/CVE-2007-1362 [4] > http://security-tracker.debian.net/tracker/CVE-2007-1558 [5] > http://security-tracker.debian.net/tracker/CVE-2007-2867 [6] > http://security-tracker.debian.net/tracker/CVE-2007-2868 [7] > http://security-tracker.debian.net/tracker/CVE-2007-2870 [8] > http://security-tracker.debian.net/tracker/CVE-2007-2871Cheers, Stefan
On Tue, 12 Jun 2007 23:25:21 +0200 Stefan Fritsch wrote: [...]> As with the gimp DSA, the iceape DSA was entered into the tracker a > bit later (this is done by hand). I think the info now is correct.Yes, I can confirm that now the info provided by the tracker on these vulnerabilities seem to be consistent with the relevant DSAs. Thanks for keeping the tracker up-to-date (and, of course, for enhancing Debian security!). -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070613/f7346327/attachment.pgp