[Secure-testing-team] DSA/tracker inconsistencies

Micah Anderson micah at riseup.net
Sat Jun 2 22:48:38 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Francesco Poli wrote:
> Hi all!
> Could someone perform some other little consistency checks, please?

Sure, thanks for checking the consistency, its important!

> http://security-tracker.debian.net/tracker/CVE-2007-2509
> does not seem to agree with
> http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00054.html

I'm staring at both of these and I do not see where they disagree, can
you be more specific?

> http://security-tracker.debian.net/tracker/CVE-2007-0246
> does not seem to agree with
> http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00056.html

The only difference I see here is that the DSA says fixed in version
"4.5.14-5", but the tracker says "4.5.14-5etch1", however this is an
error in the DSA text, not in the tracker. If you look later in the DSA
text, you see the package:

http://security.debian.org/pool/updates/main/g/gforge-plugin-scmcvs/gforge-plugin-scmcvs_4.5.14-5etch1.dsc

Clearly its -5etch1

> http://security-tracker.debian.net/tracker/CVE-2007-1745
> http://security-tracker.debian.net/tracker/CVE-2007-1997
> http://security-tracker.debian.net/tracker/CVE-2007-2029
> don't seem to agree with
> http://packages.qa.debian.org/c/clamav.html

Again, I am having trouble seeing what doesn't agree exactly. I am
probably missing something, so please tell me what it is!

> Moreover: why aren't the three vulnerabilities marked as "fixed in
> testing-security" in
> http://security-tracker.debian.net/tracker/status/release/testing  ???

They are... maybe you are looking too quickly?

> Again, why isn't CVE-2007-2057 marked as "fixed in testing-security" in
> http://security-tracker.debian.net/tracker/status/release/testing  ???
> 
> Finally, why isn't CVE-2007-2362 marked as "fixed in testing-security"
> in
> http://security-tracker.debian.net/tracker/status/release/testing  ???

I think this is addressed in the thread you started, "Why is "fixed in
testing-security" slow to turn up in the tracker?"

micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGYfPG9n4qXRzy1ioRAjbGAJ9n6iIYOMGVRQJEYAovJGhpdEMllQCgt7s8
p3nW9FUBkikrwss0WwvdlhA=
=brR9
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list