Hi all, On Tue, May 18, 2010 00:54, Michael Gilbert wrote: > Author: gilbert-guest > Date: 2010-05-17 22:54:10 +0000 (Mon, 17 May 2010) > New Revision: 14698 > > Modified: > data/CVE/list > data/DSA/list > Log: > NFUs, new issues, and dsa-2038-2
> Modified: data/DSA/list > =================================================================== > --- data/DSA/list 2010-05-17 21:15:08 UTC (rev 14697) > +++ data/DSA/list 2010-05-17 22:54:10 UTC (rev 14698) > @@ -1,3 +1,6 @@ > +[17 May 2010] DSA-2038-2 pidgin - regression fix > + {CVE-2010-0420 CVE-2010-0423} > + [lenny] - pidgin 2.4.3-4lenny7 > [17 May 2010] DSA-2047-1 aria2 - directory traversal > {CVE-2010-1512} > [lenny] - aria2 0.14.0-1+lenny2 It is by design that the automatic dsa2list-script skips updates to existing DSA's ("-2"'s). The update DSA-2038-2 is a regression fix because functionality was broken by the DSA-2038-1 in a way that does not impact security. The majority of -2 releases are such fixes; only occasionally there's an incomplete fix and the -2 is necessary to remain secure. It doesn't make sense to me to add such non-security regression fixes to the tracker, because this will make the tracker display that DSA-2038-2 / pidgin 2.4.3-4lenny7 is necessary to be not vulnerable against CVE-2010-0420 and CVE-2010-0423. This is not the case, as systems with 2.4.3-4lenny6 are secure, just have a non-security bug (which may not impact them at all). I would therefore like to stress once more that we do not add -2 DSA's to the tracker unless they have an actual security impact, that is, they correct an incomplete fix for a vulnerability. Else we're communicating things about which version fixes a vulnerability that aren't accurate. cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/dbbf50d0962383978b33a5cb734f9d57.squir...@wm.kinkhorst.nl