On Sat, Nov 10, 2007 at 07:35:38PM +0100, Thijs Kinkhorst wrote: > Hi All, > > On Friday 9 November 2007 23:52, Francesco Poli wrote: > > Hi all again! > > > > DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes > > CVE-2007-4650 for etch. > > The DSA page [2] seems to confirm this. > > However the CVE page [3] tells a different story: it states that version > > 2.1.2-2.0.etch.1 is vulnerable. > > Is this a security-tracker internal inconsistency? > > I'm a bit confused by this. The tracker information now says: > > CVE-2007-4650 (Multiple unspecified vulnerabilities in Gallery before 2.2.3 > allow ...) > {DSA-1404-1} > - gallery2 2.2.3-1 > [etch] - gallery2 <unfixed> (bug #441407)
Suite-specific <unfixed> entries should not be used for the exact reason Francesco reported: The suited-specific tag overlays the general entry set by the DSA/list data. It's also not necessary here, since "- gallery2 2.2.3-1" marks all older versions implicitly as unfixed. The few cornercases where suite-specific unfixed entries are useful are cases, where a source package has been renamed and is no longer present in unstable. Since it's not obvious it should be added to the Tracker docs (unless it exists already) Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]