[Secure-testing-team] DSA 1318-1 and DSA 1320-1 vs. the tracker
Francesco Poli
frx at firenze.linux.it
Sat Jun 23 15:28:29 UTC 2007
Hi all!
DSA 1318-1[1] refers to five CVEs for ekg and states that two of them
(CVE-2005-2370 and CVE-2005-2448) only affect sarge, while the remaining
three (CVE-2007-1663, CVE-2007-1664, and CVE-2007-1665) only affect
etch.
However, the tracker pages for these vulnerabilities[2][3][4][5][6] seem
to fail to differentiate: I mean, the page[2] for CVE-2005-2370 states
that unpatched etch is vulnerable, while it's not, AFAIUI, since the
issue only affects sarge; the other pages seem to have similar
inconsistencies with the DSA...
Did I get it right?
Or does "only affects Debian Sarge" mean something else?
[1] http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00078.html
[2] http://security-tracker.debian.net/tracker/CVE-2005-2370
[3] http://security-tracker.debian.net/tracker/CVE-2005-2448
[4] http://security-tracker.debian.net/tracker/CVE-2007-1663
[5] http://security-tracker.debian.net/tracker/CVE-2007-1664
[6] http://security-tracker.debian.net/tracker/CVE-2007-1665
Moreover I noticed another thing, regarding DSA 1320-1.
This advisory[7] refers to another five CVEs (for clamav) and states
that they are fixed in the following versions:
CVE-2007-2650 CVE-2007-3023 CVE-2007-3122 CVE-2007-3123
in version 0.84-2.sarge.17 for sarge
in version 0.90.1-3etch1 for etch
in version 0.90.2-1 for sid
CVE-2007-3024
(unfixed) for sarge
in version 0.90.1-3etch1 for etch
in version 0.90.2-1 for sid
However, the tracker pages for these vulnerabilities[8][9][10][11][12]
seem to disagree: they all claim that etch (security) is still
vulnerable with version 0.90.1-3etch3, and the page[10] for
CVE-2007-3024 claims that sarge (security) is fixed with version
0.84-2.sarge.17.
Are these inconsistencies between the DSA and the tracker as I see them?
[7] http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00081.html
[8] http://security-tracker.debian.net/tracker/CVE-2007-2650
[9] http://security-tracker.debian.net/tracker/CVE-2007-3023
[10] http://security-tracker.debian.net/tracker/CVE-2007-3024
[11] http://security-tracker.debian.net/tracker/CVE-2007-3122
[12] http://security-tracker.debian.net/tracker/CVE-2007-3123
P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks.
--
http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html
Need to read a Debian testing installation walk-through?
..................................................... Francesco Poli .
GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070623/171f7e37/attachment.pgp
More information about the Secure-testing-team
mailing list