[Secure-testing-team] [Secure-testing-commits] r12553 - data/CVE
Moritz Muehlenhoff
jmm at inutil.org
Tue Aug 11 17:07:06 UTC 2009
On Mon, Aug 10, 2009 at 09:35:17PM +0200, Nico Golde wrote:
> Hi,
> * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10 21:14]:
> > On Mon, 10 Aug 2009 18:58:17 +0000, Nico Golde wrote:
> [...]
> > > CVE-2009-2414 [libxml2 stack recursion]
> > > RESERVED
> > > - libxml2 <unfixed> (medium; bug #540865)
> > > - [etch] - libxml <unfixed>
> > > + [lenny] - libxml <removed>
> >
> > i still don't think this is what you're trying to get at. you want to
> > mark it is removed from unstable, which will automatically also mark
> > it removed from lenny.
>
> No, why should it remove it as removed from lenny as well in
> this case?
>
> > then you want to do something special for etch, and i think your intent
> > is a no-dsa?
>
> Not sure yet.
>
> > or if you don't want to do that, you can not add an etch
> > entry, and it will be tracked as affected.
>
> So my current intention is to mark lenny as not containing
> libxml and since thsi will be tracked upwards unless marked
> as unfixed in unstable this should mark unstable as not
> containing libxml as well but etch as unfixed.
Just use:
libxml2 <unfixed> (medium; bug #540865)
libxml <removed>
The tracker knows which source package is present in which
suite. If a package is marked as <removed> in unstable it is
automatically marked as unfixed for all the suite it still
remains in.
(It would be nice if anyone could add this to the introductory
explanation document.)
Cheers,
Moritz
More information about the Secure-testing-team
mailing list