On 2010-12-19, Adam D. Barratt <[email protected]> wrote:
> On Sun, 2010-12-19 at 14:46 +0100, Moritz Muehlenhoff wrote:
>> On 2010-12-18, Adam D. Barratt <[email protected]> wrote:
>> > The security tracker seems to be somewhat confused here, fwiw -
>> > http://security-tracker.debian.org/tracker/CVE-2010-164{7,8} both claim
>> > that the issue was fixed in -2lenny5.
>>
>> The are both marked as no-dsa:
>>
>> CVE-2010-1648 (Cross-site request forgery (CSRF) vulnerability in the login
>> interface ...)
>> - mediawiki 1.15.4-1 (bug #585918; low)
>> [lenny] - mediawiki <no-dsa> (Minor issue)
>> NOTE:
>> http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
>> CVE-2010-1647 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.15
>> before ...)
>> - mediawiki 1.15.4-1 (bug #585918; low)
>> [lenny] - mediawiki <no-dsa> (Minor issue)
>> NOTE:
>> http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
>
> Yeah, I spotted that when looking at the tracker while checking the
> request over. It just seemed odd that they were already marked as fixed
> in -2lenny5 when that upload clearly didn't include the fixes.
The security tracker status page is a bit confusing: It takes the "no-dsa" tag
as a "no further action needed from security team's side, since it's a
negligable
issue" and doesn't differentiate to "no further action needed from security
team's
side, since it's fixed".
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
