Hi Francesco, * Francesco Poli <[EMAIL PROTECTED]> [2008-01-22 00:24]: > DSA-1471-1 [1] claims that libvorbis version 1.1.0-2 fixes > CVE-2007-3106, CVE-2007-4029, and CVE-2007-4066 for sarge. The DSA page > [2] seems to ignore this, though. Correspondent CVS pages [3][4][5] > consistently claim that version 1.1.0-2 is vulnerable. > > Which of the two is wrong and which is right? > > Moreover, the same DSA [1] claims that version 1.1.2.dfsg-1.3 fixes the > above-mentioned CVEs for etch. However the CVE-2007-4029 page [4] tells > a different story: it states that version 1.1.2.dfsg-1.3 is vulnerable. > Is this a security-tracker internal inconsistency? [...] The source package name was missing from the sarge tag in our DSA file. Fixed this in svn. Thanks alot for reporting! Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpM3e2rrzRp9.pgp
Description: PGP signature
