Re: DSA vs tracker: is CVE-2008-5814 fixed in unstable?
On moandei 11 Maaie 2009, Michael S. Gilbert wrote: security team, should the DSA announcement be reissued to correct/clarify? That should not be necessary. The DSA mails pertain to the state of afairs in old/stable; we mention sid fixed versions as a courtesy but I don't see it necessary to issue an update just for that. We can always update the associated DSA web page if a newer sid version is available. Thijs signature.asc Description: This is a digitally signed message part.
Re: DSA vs tracker: is CVE-2008-5814 fixed in unstable?
On moandei 11 Maaie 2009, Michael S. Gilbert wrote: security team, should the DSA announcement be reissued to correct/clarify? That should not be necessary. The DSA mails pertain to the state of afairs in old/stable; we mention sid fixed versions as a courtesy but I don't see it necessary to issue an update just for that. We can always update the associated DSA web page if a newer sid version is available. Thijs signature.asc Description: This is a digitally signed message part.
Re: DSA vs tracker: is CVE-2008-5814 fixed in unstable?
On Sat, 9 May 2009 17:31:11 +0200 Francesco Poli wrote: Hi everyone! DSA-1789-1 [1] claims that all the mentioned CVEs are fixed in php5/5.2.9.dfsg.1-1 for sid. All tracker pages for the mentioned CVEs seem to be consistent, except for the one for CVE-2008-5814 [2], which claims that sid is still vulnerable. [1] http://lists.debian.org/debian-security-announce/2009/msg00100.html [2] http://security-tracker.debian.net/tracker/CVE-2008-5814 Now the question is: is CVE-2008-5814 really fixed in php5/5.2.9.dfsg.1-1 ? If this is case, the tracker seems to be inconsistent. Please clarify and/or fix the inconsistency. hi, thanks for pointing out the inconsistency. this is not yet fixed in the sid version. it has been added to the sid php5 git repo and is currently pending to be uploaded, but has not happened yet. in fact CVE-2009-0754 should have the same status; which i've just fixed. security team, should the DSA announcement be reissued to correct/clarify? mike -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
DSA vs tracker: is CVE-2008-5814 fixed in unstable?
Hi everyone! DSA-1789-1 [1] claims that all the mentioned CVEs are fixed in php5/5.2.9.dfsg.1-1 for sid. All tracker pages for the mentioned CVEs seem to be consistent, except for the one for CVE-2008-5814 [2], which claims that sid is still vulnerable. [1] http://lists.debian.org/debian-security-announce/2009/msg00100.html [2] http://security-tracker.debian.net/tracker/CVE-2008-5814 Now the question is: is CVE-2008-5814 really fixed in php5/5.2.9.dfsg.1-1 ? If this is case, the tracker seems to be inconsistent. Please clarify and/or fix the inconsistency. P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks. -- New location for my website! Update your bookmarks! http://www.inventati.org/frx . Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 pgp1kf39aJ2b0.pgp Description: PGP signature
