Re: Tracker inconsistency regarding gallery2?
Hi, On Friday 9 November 2007 23:52, Francesco Poli wrote: > Hi all again! > > DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes > CVE-2007-4650 for etch. > The DSA page [2] seems to confirm this. > However the CVE page [3] tells a different story: it states that version > 2.1.2-2.0.etch.1 is vulnerable. > Is this a security-tracker internal inconsistency? I've corrected this now, it was due to a misunderstanding by myself of the tracker information. Thijs pgpSfi5Axd1DG.pgp Description: PGP signature
Re: Tracker inconsistency regarding gallery2?
Hi Thijs, * Thijs Kinkhorst <[EMAIL PROTECTED]> [2007-11-10 19:36]: > On Friday 9 November 2007 23:52, Francesco Poli wrote: > > DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes > > CVE-2007-4650 for etch. > > The DSA page [2] seems to confirm this. > > However the CVE page [3] tells a different story: it states that version > > 2.1.2-2.0.etch.1 is vulnerable. > > Is this a security-tracker internal inconsistency? > > I'm a bit confused by this. The tracker information now says: > > CVE-2007-4650 (Multiple unspecified vulnerabilities in Gallery before 2.2.3 > allow ...) > {DSA-1404-1} > - gallery2 2.2.3-1 > [etch] - gallery2 (bug #441407) > NOTE: does not affect gallery 1.x (package 'gallery') > > Do I need to replace that "" by hand by the fixed version? I somehow > thought that the DSA-1404-1 would take care of that. Can someone enlighten me > how this works exactly? You can completely delete the etch line since that's what the DSA was added for. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp97dzSM2lpj.pgp Description: PGP signature
Re: Tracker inconsistency regarding gallery2?
Hi All, On Friday 9 November 2007 23:52, Francesco Poli wrote: > Hi all again! > > DSA 1404-1 [1] claims that gallery2 version 2.1.2-2.0.etch.1 fixes > CVE-2007-4650 for etch. > The DSA page [2] seems to confirm this. > However the CVE page [3] tells a different story: it states that version > 2.1.2-2.0.etch.1 is vulnerable. > Is this a security-tracker internal inconsistency? I'm a bit confused by this. The tracker information now says: CVE-2007-4650 (Multiple unspecified vulnerabilities in Gallery before 2.2.3 allow ...) {DSA-1404-1} - gallery2 2.2.3-1 [etch] - gallery2 (bug #441407) NOTE: does not affect gallery 1.x (package 'gallery') Do I need to replace that "" by hand by the fixed version? I somehow thought that the DSA-1404-1 would take care of that. Can someone enlighten me how this works exactly? thanks, Thijs pgpLjJwbKGCsn.pgp Description: PGP signature
Re: Tracker inconsistencies for iceape?
On Fri, 9 Nov 2007 23:56:43 +0100 Moritz Muehlenhoff wrote: > On Wed, Nov 07, 2007 at 12:45:58AM +0100, Francesco Poli wrote: > > Hi all! > > > > DSA 1401-1 [1] claims that iceape version 1.0.11~pre071022-0etch1 > > and version 1.1.5-1 fix the following vulnerabilities: > > CVE-2007-1095 CVE-2007-2292 CVE-2007-3511 CVE-2007-5334 > > CVE-2007-5337 CVE-2007-5338 CVE-2007-5339 CVE-2007-5340. > > However, the DSA page [2] also lists CVE-2006-2894 as fixed in > > version 1.0.11~pre071022-0etch1. > > Is this a spurious addition in the DSA tracker page or a missing > > item in the DSA message? > > It was fixed in the DSA, but the CVE wasn't known at time of release. Ah, I see. Thanks for the explanation. > > > Moreover the individual CVE tracker pages [3] all claim that version > > 1.1.5-1 is still vulnerable. > > Is this an inconsistency? > > Yes, fixed. It seems to be fixed in http://security-tracker.debian.net/tracker/CVE-2006-2894 but *not* in http://security-tracker.debian.net/tracker/CVE-2007-1095 http://security-tracker.debian.net/tracker/CVE-2007-2292 http://security-tracker.debian.net/tracker/CVE-2007-3511 http://security-tracker.debian.net/tracker/CVE-2007-5334 http://security-tracker.debian.net/tracker/CVE-2007-5337 http://security-tracker.debian.net/tracker/CVE-2007-5338 http://security-tracker.debian.net/tracker/CVE-2007-5339 http://security-tracker.debian.net/tracker/CVE-2007-5340 -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? . Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 pgpwQnHgvM6Hh.pgp Description: PGP signature