Secure testing team - Jun 2007 - DSA 1318-1 and DSA 1320-1 vs. the tracker

Hi all!

DSA 1318-1[1] refers to five CVEs for ekg and states that two of them
(CVE-2005-2370 and CVE-2005-2448) only affect sarge, while the remaining
three (CVE-2007-1663, CVE-2007-1664, and CVE-2007-1665) only affect
etch.

However, the tracker pages for these vulnerabilities[2][3][4][5][6] seem
to fail to differentiate: I mean, the page[2] for CVE-2005-2370 states
that unpatched etch is vulnerable, while it''s not, AFAIUI, since the
issue only affects sarge; the other pages seem to have similar
inconsistencies with the DSA...

Did I get it right?
Or does "only affects Debian Sarge" mean something else?


[1]
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00078.html
[2] http://security-tracker.debian.net/tracker/CVE-2005-2370
[3] http://security-tracker.debian.net/tracker/CVE-2005-2448
[4] http://security-tracker.debian.net/tracker/CVE-2007-1663
[5] http://security-tracker.debian.net/tracker/CVE-2007-1664
[6] http://security-tracker.debian.net/tracker/CVE-2007-1665


Moreover I noticed another thing, regarding DSA 1320-1.
This advisory[7] refers to another five CVEs (for clamav) and states
that they are fixed in the following versions:

CVE-2007-2650 CVE-2007-3023 CVE-2007-3122 CVE-2007-3123
in version 0.84-2.sarge.17 for sarge
in version 0.90.1-3etch1   for etch
in version 0.90.2-1        for sid

CVE-2007-3024
(unfixed)                  for sarge
in version 0.90.1-3etch1   for etch
in version 0.90.2-1        for sid

However, the tracker pages for these vulnerabilities[8][9][10][11][12]
seem to disagree: they all claim that etch (security) is still
vulnerable with version 0.90.1-3etch3, and the page[10] for
CVE-2007-3024 claims that sarge (security) is fixed with version
0.84-2.sarge.17.

Are these inconsistencies between the DSA and the tracker as I see them?


[7]
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00081.html
[8] http://security-tracker.debian.net/tracker/CVE-2007-2650
[9] http://security-tracker.debian.net/tracker/CVE-2007-3023
[10] http://security-tracker.debian.net/tracker/CVE-2007-3024
[11] http://security-tracker.debian.net/tracker/CVE-2007-3122
[12] http://security-tracker.debian.net/tracker/CVE-2007-3123


P.S.: Please Cc: me on replies, as I am not a list subscriber.  Thanks.


-- 
 http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html
 Need to read a Debian testing installation walk-through?
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070623/171f7e37/attachment.pgp