Hi Francesco, On Sun, Feb 08, 2015 at 12:35:56PM +0100, Francesco Poli (wintermute) wrote: > Package: security-tracker > Severity: normal > > Hello again, > there seems to be a typo in the tracker page for CVE-2014-3660 [1]: > it states that the vulnerability is fixed in jessie by > libxml2/2.9.1+dfsg1-5 , while DSA-2978-2 [2] says that the fixed > version is 2.9.1+dfsg1-4 ...
The situation for the update in DSA-2978-2 is actually a bit complicated. DSA-2978-1: Fixed CVE-2014-0191: - wheezy: 2.8.0+dfsg1-7+wheezy1 - jessie: 2.9.1+dfsg1-4 - unstable: 2.9.1+dfsg1-4 A regression in functionality was found, so releaing updates for it. DSA-3057-1: Fixed CVE-2014-3660: - wheezy: 2.8.0+dfsg1-7+wheezy2 - jessie <unfixed> - unstable: 2.9.2+dfsg1-1 libxml2 could not migrate to jessie in this version, so the fix for CVE-2014-3660 did never reach jessie. After that regressions in functionality were addressed with the DSA you are mentioning. For jessie to fix the issue in CVe-2014-3660 a pre-approval for an upload to t-p-u was opened in https://bugs.debian.org/776748 so the version fixing CVE-2014-3660 will be correct as libxml2/2.9.1+dfsg1-5 once the package is accepted. The entry in the tracker was only a bit "prematurely" added as the package was not yet accepted by the release team. So I would say (unless I now missed something) all the versions in tracker are correct (apart we should have delayed adding 2.9.1+dfsg1-5 already, since it is not yet approved), and the advisory text itself was a bit complicated to write up to reflect all this correctly. So I would tend to close this bug, right away, or wait until 2.9.1+dfsg1-5 is accepted into jessie via t-p-u, but unfortuantely the advisory text https://lists.debian.org/debian-security-announce/2015/msg00039.html in the list archives is now out this way. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150208125836.GA27762@eldamar.local