On Sat, Nov 10, 2007 at 07:35:38PM +0100, Thijs Kinkhorst wrote:
> Hi All,
>
> On Friday 9 November 2007 23:52, Francesco Poli wrote:
> > Hi all again!
> >
> > DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes
> > CVE-2007-4650 for etch.
> > The DSA page [2] seems to confirm this.
> > However the CVE page [3] tells a different story: it states that version
> > 2.1.2-2.0.etch.1 is vulnerable.
> > Is this a security-tracker internal inconsistency?
>
> I'm a bit confused by this. The tracker information now says:
>
> CVE-2007-4650 (Multiple unspecified vulnerabilities in Gallery before 2.2.3
> allow ...)
> {DSA-1404-1}
> - gallery2 2.2.3-1
> [etch] - gallery2 <unfixed> (bug #441407)
Suite-specific <unfixed> entries should not be used for the exact reason
Francesco reported: The suited-specific tag overlays the general entry
set by the DSA/list data. It's also not necessary here, since
"- gallery2 2.2.3-1" marks all older versions implicitly as unfixed.
The few cornercases where suite-specific unfixed entries are useful are
cases, where a source package has been renamed and is no longer present
in unstable.
Since it's not obvious it should be added to the Tracker docs (unless it
exists already)
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
