On Tue, 18 May 2010 08:36:37 +0200 Thijs Kinkhorst wrote: > Hi all, > > On Tue, May 18, 2010 00:54, Michael Gilbert wrote: > > Author: gilbert-guest > > Date: 2010-05-17 22:54:10 +0000 (Mon, 17 May 2010) > > New Revision: 14698 > > > > Modified: > > data/CVE/list > > data/DSA/list > > Log: > > NFUs, new issues, and dsa-2038-2 > > > Modified: data/DSA/list > > =================================================================== > > --- data/DSA/list 2010-05-17 21:15:08 UTC (rev 14697) > > +++ data/DSA/list 2010-05-17 22:54:10 UTC (rev 14698) > > @@ -1,3 +1,6 @@ > > +[17 May 2010] DSA-2038-2 pidgin - regression fix > > + {CVE-2010-0420 CVE-2010-0423} > > + [lenny] - pidgin 2.4.3-4lenny7 > > [17 May 2010] DSA-2047-1 aria2 - directory traversal > > {CVE-2010-1512} > > [lenny] - aria2 0.14.0-1+lenny2 > > It is by design that the automatic dsa2list-script skips updates to > existing DSA's ("-2"'s). > > The update DSA-2038-2 is a regression fix because functionality was broken > by the DSA-2038-1 in a way that does not impact security. The majority of > -2 releases are such fixes; only occasionally there's an incomplete fix > and the -2 is necessary to remain secure. > > It doesn't make sense to me to add such non-security regression fixes to > the tracker, because this will make the tracker display that DSA-2038-2 / > pidgin 2.4.3-4lenny7 is necessary to be not vulnerable against > CVE-2010-0420 and CVE-2010-0423. This is not the case, as systems with > 2.4.3-4lenny6 are secure, just have a non-security bug (which may not > impact them at all). > > I would therefore like to stress once more that we do not add -2 DSA's to > the tracker unless they have an actual security impact, that is, they > correct an incomplete fix for a vulnerability. Else we're communicating > things about which version fixes a vulnerability that aren't accurate.
this is actually a tracker processing issue. i just submitted a bug to make sure we remember to fix it [1]. in the meantime, i think we should continue to track all dsa's so that info isn't lost once we fix the issue. mike [1] http://bugs.debian.org/582196 -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100518210239.741f1cc5.michael.s.gilb...@gmail.com