Your message dated Thu, 7 Feb 2008 08:20:40 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#463184: security.debian.org: wasn't CVE-2007-2645 fixed in
DSA-1310-1?
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: security.debian.org
Severity: grave
according to the bug report log [1], the 0.6.13-etch1 upload of
libexif12 fixed the security vulnerability described by CVE-2007-2645.
however, the associated DSA [2] says that the updload of 0.6.13-etch1
fixed the vulnerability described by CVE-2006-4168.
it seems very likely someone mistakenly reversed the CVE numbers. so it
is probably the case that CVE-2007-2645 was fixed long ago in etch,
and CVE-2006-4168 still remains unadressed.
[1] http://bugs.debian.org/424775
[2] http://www.debian.org/security/2007/dsa-1310
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
On Wed, Feb 06, 2008 at 06:16:44PM -0500, Michael Gilbert wrote:
> > did that upload of libexif actually address both CVE-2006-4168 and
> > CVE-2007-2645? if so, then the DSA should be updated to indicate that
> > this is the case. if not, then
> > http://idssi.enyo.de/tracker/status/release/unstable needs to be
> > updated to indicate that the CVE-2007-2645 vulnerability still exists
> > in the archive, and the fix (http://bugs.debian.org/424775) needs to
> > be uploaded as soon as possible.
>
> oops, i was looking at the unstable page. CVE-2007-2645 is indeed
> listed on the stable page
> (http://idssi.enyo.de/tracker/status/release/stable).
>
> btw, any chance of the fix getting uploaded to etch any time soon?
I've prepared an update along with two other open issues yesterday,
it'll be released tonight or tomorrow.
BTW, please file such bugs against the relevant packages, not
security.debian.org.
Cheers,
Moritz
--- End Message ---
