Hi, On Wed, Sep 10, 2014 at 02:06:01PM +0200, Holger Levsen wrote: > package: security-tracker > severity: important > x-debbugs-cc: debian-...@lists.debian.org > > Hi, > > the tracker doesnt show issues which are "only" closed in the security or lts > subreleases as closed, as for example can be seen on https://security- > tracker.debian.org/tracker/source-package/file > > eg https://security-tracker.debian.org/tracker/CVE-2014-3478 is closed in > both > wheezy-security as well as squeeze-lts, yet the /tracker/source-package/file > lists it as open. > > (There pages like https://security-tracker.debian.org/tracker/CVE-2014-3478 > also are less clean, but at least they contain the right info visibly, just a > bit scrambled.) > > I believe the bug is in getBugsForSourcePackage() in > lib/python/security_db.py > but I couldn't yet wrap my head around it properly to fix it. > > There seem to be several functions (in security_db.py) which only deal with > the releases (sid, jessie, wheezy, squeeze) but not the subreleases > (security, > lts).
The tabular view clearly would need some improvement and making clear where the fix is already, e.g. wheezy-security but not yet wheezy. I try to explain. The version tracked on the individual CVE pages is *correct* from the following point of view: A fix is in wheezy-security already, but not yet accepted into the wheezy suite. This happen, when the release team accepts an upload through security, which get uploaded to wheezy-proposed-updates-NEW to be intregrated into an upcoming poing release[*]. It is not enough from stable point of view for having the fix available in stable to have it only on wheezy-security -- it also needs to be included into a wheezy point release. Thus for example taking CVE-2014-3478 we have: squeeze, squeeze (security) 5.04-5+squeeze5 vulnerable squeeze (lts) 5.04-5+squeeze6 fixed wheezy 5.11-2+deb7u3 vulnerable wheezy (security) 5.11-2+deb7u4 fixed jessie, sid 1:5.19-2 fixed One issue is: with -lts this will never happen that packages will be integrated into squeeze, as there will be no pint releases including the -lts fixes into squeeze. [*] As an example were this does not happen currently is openjdk-7. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org