[Secure-testing-team] DSA/tracker inconsistencies
Francesco Poli
frx at firenze.linux.it
Sun Jun 3 15:50:37 UTC 2007
On Sat, 02 Jun 2007 16:48:38 -0600 Micah Anderson wrote:
[...]
> Francesco Poli wrote:
> > Hi all!
> > Could someone perform some other little consistency checks, please?
>
> Sure, thanks for checking the consistency, its important!
You're welcome! :)
>
> > http://security-tracker.debian.net/tracker/CVE-2007-2509
> > does not seem to agree with
> > http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00054.html
>
> I'm staring at both of these and I do not see where they disagree, can
> you be more specific?
Actually they no longer disagree: I'm quite sure they used to disagree
when I sent the message, though (even if I do not remember where...).
>
> > http://security-tracker.debian.net/tracker/CVE-2007-0246
> > does not seem to agree with
> > http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00056.html
>
> The only difference I see here is that the DSA says fixed in version
> "4.5.14-5", but the tracker says "4.5.14-5etch1", however this is an
> error in the DSA text, not in the tracker. If you look later in the
> DSA text, you see the package:
>
> http://security.debian.org/pool/updates/main/g/gforge-plugin-scmcvs/gforge-plugin-scmcvs_4.5.14-5etch1.dsc
>
> Clearly its -5etch1
Ah OK, thanks for the clarification! :)
>
> > http://security-tracker.debian.net/tracker/CVE-2007-1745
> > http://security-tracker.debian.net/tracker/CVE-2007-1997
> > http://security-tracker.debian.net/tracker/CVE-2007-2029
> > don't seem to agree with
> > http://packages.qa.debian.org/c/clamav.html
>
> Again, I am having trouble seeing what doesn't agree exactly. I am
> probably missing something, so please tell me what it is!
I was referring to the version numbers in the various Debian branches
(stable, testing, unstable, ...).
They seem perfectly consistent now.
>
> > Moreover: why aren't the three vulnerabilities marked as "fixed in
> > testing-security" in
> > http://security-tracker.debian.net/tracker/status/release/testing
> > ???
>
> They are... maybe you are looking too quickly?
Yes, as it was later explained to me that the tracker does not fetch
data from repository so often...
>
> > Again, why isn't CVE-2007-2057 marked as "fixed in testing-security"
> > in http://security-tracker.debian.net/tracker/status/release/testing
> > ???
> >
> > Finally, why isn't CVE-2007-2362 marked as "fixed in
> > testing-security" in
> > http://security-tracker.debian.net/tracker/status/release/testing
> > ???
>
> I think this is addressed in the thread you started, "Why is "fixed in
> testing-security" slow to turn up in the tracker?"
Definitely.
Anyway, thanks for replying.
--
http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html
Need to read a Debian testing installation walk-through?
..................................................... Francesco Poli .
GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070603/7d396b6e/attachment.pgp
More information about the Secure-testing-team
mailing list