Re: Tracker inconsistency regarding gallery2?

2007-11-10 Thread Thijs Kinkhorst 
Hi,

On Friday 9 November 2007 23:52, Francesco Poli wrote:
> Hi all again!
>
> DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes
> CVE-2007-4650 for etch.
> The DSA page [2] seems to confirm this.
> However the CVE page [3] tells a different story: it states that version
> 2.1.2-2.0.etch.1 is vulnerable.
> Is this a security-tracker internal inconsistency?

I've corrected this now, it was due to a misunderstanding by myself of the 
tracker information.


Thijs


pgpSfi5Axd1DG.pgp
Description: PGP signature

Re: Tracker inconsistency regarding gallery2?

2007-11-10 Thread Nico Golde 
Hi Thijs,
* Thijs Kinkhorst <[EMAIL PROTECTED]> [2007-11-10 19:36]:
> On Friday 9 November 2007 23:52, Francesco Poli wrote:
> > DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes
> > CVE-2007-4650 for etch.
> > The DSA page [2] seems to confirm this.
> > However the CVE page [3] tells a different story: it states that version
> > 2.1.2-2.0.etch.1 is vulnerable.
> > Is this a security-tracker internal inconsistency?
> 
> I'm a bit confused by this. The tracker information now says:
> 
> CVE-2007-4650 (Multiple unspecified vulnerabilities in Gallery before 2.2.3 
> allow ...)
> {DSA-1404-1}
> - gallery2 2.2.3-1
> [etch] - gallery2  (bug #441407)
> NOTE: does not affect gallery 1.x (package 'gallery')
> 
> Do I need to replace that "" by hand by the fixed version? I somehow 
> thought that the DSA-1404-1 would take care of that. Can someone enlighten me 
> how this works exactly?

You can completely delete the etch line since that's 
what the DSA was added for.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgp97dzSM2lpj.pgp
Description: PGP signature

Re: Tracker inconsistency regarding gallery2?

2007-11-10 Thread Thijs Kinkhorst 
Hi All,

On Friday 9 November 2007 23:52, Francesco Poli wrote:
> Hi all again!
>
> DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes
> CVE-2007-4650 for etch.
> The DSA page [2] seems to confirm this.
> However the CVE page [3] tells a different story: it states that version
> 2.1.2-2.0.etch.1 is vulnerable.
> Is this a security-tracker internal inconsistency?

I'm a bit confused by this. The tracker information now says:

CVE-2007-4650 (Multiple unspecified vulnerabilities in Gallery before 2.2.3 
allow ...)
{DSA-1404-1}
- gallery2 2.2.3-1
[etch] - gallery2  (bug #441407)
NOTE: does not affect gallery 1.x (package 'gallery')

Do I need to replace that "" by hand by the fixed version? I somehow 
thought that the DSA-1404-1 would take care of that. Can someone enlighten me 
how this works exactly?


thanks,
Thijs


pgpLjJwbKGCsn.pgp
Description: PGP signature

Re: Tracker inconsistencies for iceape?

2007-11-10 Thread Francesco Poli 
On Fri, 9 Nov 2007 23:56:43 +0100 Moritz Muehlenhoff wrote:

> On Wed, Nov 07, 2007 at 12:45:58AM +0100, Francesco Poli wrote:
> > Hi all!
> > 
> > DSA 1401-1 [1] claims that iceape version 1.0.11~pre071022-0etch1
> > and version 1.1.5-1 fix the following vulnerabilities:
> > CVE-2007-1095 CVE-2007-2292 CVE-2007-3511 CVE-2007-5334
> > CVE-2007-5337 CVE-2007-5338 CVE-2007-5339 CVE-2007-5340.
> > However, the DSA page [2] also lists CVE-2006-2894 as fixed in
> > version 1.0.11~pre071022-0etch1.
> > Is this a spurious addition in the DSA tracker page or a missing
> > item in the DSA message?
> 
> It was fixed in the DSA, but the CVE wasn't known at time of release.

Ah, I see.
Thanks for the explanation.

> 
> > Moreover the individual CVE tracker pages [3] all claim that version
> > 1.1.5-1 is still vulnerable.
> > Is this an inconsistency?
> 
> Yes, fixed.

It seems to be fixed in

http://security-tracker.debian.net/tracker/CVE-2006-2894

but *not* in

http://security-tracker.debian.net/tracker/CVE-2007-1095
http://security-tracker.debian.net/tracker/CVE-2007-2292
http://security-tracker.debian.net/tracker/CVE-2007-3511
http://security-tracker.debian.net/tracker/CVE-2007-5334
http://security-tracker.debian.net/tracker/CVE-2007-5337
http://security-tracker.debian.net/tracker/CVE-2007-5338
http://security-tracker.debian.net/tracker/CVE-2007-5339
http://security-tracker.debian.net/tracker/CVE-2007-5340



-- 
 http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html
 Need to read a Debian testing installation walk-through?
. Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4


pgpwQnHgvM6Hh.pgp
Description: PGP signature