On Wed, 1 Apr 2009 20:03:18 +0200, Francesco Poli wrote: > I can confirm that DSA-1755-1 now seems to be correctly tracked (except > for etch status: the DSA claims that etch is not affected, but the > tracker says that etch is vulnerable...).
fixed. > On the other hand, DSA-1758-1 refers to a CVE still marked as RESERVED > and hence reports incomplete information about vulnerable and fixed > versions. like i said, this gets pulled in automatically from the Mitre database, and there really isn't anything debian can do about their tardiness. should debian switch to the NVD feeds [1], which seem to get updated in a much more timely and consistent manner? from what i've seen, NVD pages and feeds actually get updated on the planned disclosure date, rather than a week or more later for Mitre. appropos, this has been a primary complaint of mine for a while now. it takes debian much too long to start working on issues after they have been initially disclosed. switching to NVD would go a long way toward addressing this problem. [1] http://nvd.nist.gov/download.cfm#CVE_FEED -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
