[Secure-testing-team] keeping track of packages in different distributions (was: [Secure-testing-commits] r12553 - data/CVE)

Nico Golde debian-secure-testing+ml at ngolde.de
Mon Aug 10 21:06:43 UTC 2009 

Hi,
* Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10 22:05]:
> On Mon, 10 Aug 2009 21:35:17 +0200, Nico Golde wrote:
> > * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10 21:14]:
> > > On Mon, 10 Aug 2009 18:58:17 +0000, Nico Golde wrote:
> > [...] 
> > > >  CVE-2009-2414 [libxml2 stack recursion]
> > > >  	RESERVED
> > > >  	- libxml2 <unfixed> (medium; bug #540865)
> > > > -	[etch] - libxml <unfixed>
> > > > +	[lenny] - libxml <removed>
> > > 
> > > i still don't think this is what you're trying to get at.  you want to
> > > mark it is removed from unstable, which will automatically also mark
> > > it removed from lenny.
> > 
> > No, why should it remove it as removed from lenny as well in 
> > this case?
> 
> the tracker is smart.  if you mark a package as <removed> in unstable,
> and it is indeed removed in lenny also, than it will automatically
> track as removed.

Ok I didn't know this.

> > So my current intention is to mark lenny as not containing 
> > libxml and since thsi will be tracked upwards unless marked 
> > as unfixed in unstable this should mark unstable as not 
> > containing libxml as well but etch as unfixed.
> 
> i commited a change that does what i think you intended to do, please
> check the CVE pages on the tracker for those issues to see if its what
> you expect.

Thanks! Looks good. Though I am still wondering why it 
lists:
Package Type    Release Fixed Version   Urgency Origin  Debian Bugs
libxml  source  (unstable)  (unfixed)   unknown

There is no libxml source in unstable.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090810/ae145058/attachment.pgp>

More information about the Secure-testing-team mailing list