* Francesco Poli: > On Thu, 12 May 2011 22:13:00 +0200 Florian Weimer wrote: > >> * Francesco Poli: >> >> > It seems to me that the DSA-2233-1 tracker page [1] lacks the reference >> > to CVE-2009-2939, which is instead present in the actual DSA [2]. >> > >> > Is there a reason for this, or is it just an inconsistency (that should >> > be fixed)? >> >> CVE-2009-2939 only affects lenny, and we currently lack a way to >> express in a better way. > > Can the CVE be associated to the DSA and also have the additional info > that it was fixed for squeeze in a version which is an ancestor of the > squeeze version?
It is reflected in the page for CVE-2009-2939: <http://security-tracker.debian.org/tracker/CVE-2009-2939> The information for CVEs is typically more accurate because often, DSAs fix several vulnerabilities in a package, and sometimes, this cannot be expressed adequately in a single fixed version number. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
