Bug#992159: security-tracker: DSA-4957-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi everyone!

In [DSA-4957-1], a number of CVEs are listed as fixed in trafficserver
for buster: CVE-2021-27577 CVE-2021-32566 CVE-2021-32567 CVE-2021-35474
CVE-2021-32565 .

However, the last one [CVE-2021-32565] is not present in the
corresponding [DSA tracker page], probably due to a typo in
the [changelog entry].

[DSA-4957-1]: 

[CVE-2021-32565]: 
[DSA tracker page]: 
[changelog entry]: 


If this is the case, please update the tracker data.
Thanks for your time!

Bug#988823: security-tracker: DSA-4917-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello everyone!

According to [DSA-4917-1], a number of CVEs are fixed in chromium
for buster: CVE-2021-30506 ÷ CVE-2021-30520.

The tracker [DSA page] agrees on that, but also refers to
[CVE-2021-3051], which is not mentioned in the DSA.

[DSA-4917-1]: 

[DSA page]: 
[CVE-2021-3051]: 

Is the DSA incomplete or does the tracker page need a correction?

Please let me know, and update the tracker data, if needed.
Thanks for your time!

Bug#959231: Bug#929228: Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page

[Francesco Poli]

On Fri, 1 May 2020 16:46:21 +0200 Salvatore Bonaccorso wrote:

[...]
> Thanks, applied and deployed.

Wow, this looks fixed: thanks to you all, for your prompt
reaction!   :-)

Bye.

-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpNuLgDOIrRn.pgp
Description: PGP signature

Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi all!

I noticed that the tracker page for [CVE-2020-11565] fails to display
and returns the following error:

| Proxy Error
| 
| The proxy server received an invalid response from an upstream server.
| The proxy server could not handle the request
| 
| Reason: Error reading from remote server
| 
| Apache Server at security-tracker.debian.org Port 443

[CVE-2020-11565]: 

Please note that the CVE is mentioned in [DSA-4667-1].

[DSA-4667-1]: 


What's wrong with that tracker page?
Please fix anything that's missing.

Thanks for your time and dedication!

Bug#947686: security-tracker: DSA-4595-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello everyone!

According to [DSA-4595-1], CVE-2019-3467 is fixed in debian-lan-config
for stretch and buster.

However, the tracker [CVE page] does not seem to be linked to the
[DSA page], thus failing to show the correct fixed versions for
debian-lan-config.

Please update the tracker data, as appropriate.

Thanks for your time!

[DSA-4595-1]: 

[CVE page]: 
[DSA page]: 

Bug#905304: security-tracker: DSA-4259-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello!

According to [DSA-4259-1], ruby2.3/2.3.3-1+deb9u3 fixes a number of
vulnerabilities, among which CVE-2017-17405, CVE-2017-17742,
CVE-2017-17790, and CVE-2018-6914.

However, the tracker pages for [CVE-2017-17405], [CVE-2017-17742],
[CVE-2017-17790], and [CVE-2018-6914] seem to disagree.

Is the tracker wrong?
Please update the tracker data, then.

Is the DSA wrong?
Please clarify (I searched in the tracker commit history on Salsa,
but I failed to find any explicit explanation about this
discrepancy...).

Thanks for your time!

[DSA-4259-1]: 

[CVE-2017-17405]: 
[CVE-2017-17742]: 
[CVE-2017-17790]: 
[CVE-2018-6914]:  

Bug#903816: security-tracker: CVE-2017-17689 vs. tracker

[Francesco Poli]

On Sun, 15 Jul 2018 13:38:52 +0200 Salvatore Bonaccorso wrote:

[...]
> In short, the tracker is ocrrect. The initial DSA mail did contain the
> mention of the CVE-2017-17689, but it was wrongly listed. This is why
> it was reverted in
> 
> https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b041892b1d953fabb4ef8636c02b427a2771663
> 
> and the website is as well correct (the mail obvioulsy cannot be fixed
> retrospecitively).

Ah OK, thanks for clarifying.


But then, maybe, the tracker page for [CVE-2017-17689] should stop
referencing bug [#898631]...

[CVE-2017-17689]: <https://security-tracker.debian.org/tracker/CVE-2017-17689>
[#898631]: <https://bugs.debian.org/898631>



-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpU5CoW0qDHL.pgp
Description: PGP signature

Bug#903816: security-tracker: CVE-2017-17689 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello everyone!

According to [DSA-4244-1] thunderbird/1:52.9.1-1~deb9u1 fixes
CVE-2017-17689 in stretch (security), among other vulnerabilities.

However the tracker page for [CVE-2017-17689] seems to disagree,
while, on the other hand, referencing bug [#898631], which is claimed
to be fixed in oldstable, stable, testing, and unstable.

But please note that bug [#898631] does not mention CVE-2017-17689
at all!

Oh what a headache!
Which is wrong and which is right?

Could you please clarify and update the tracker data, if needed?

Thanks for your time!

[DSA-4244-1]: 

[CVE-2017-17689]: 
[#898631]: 

Re: RC bugs with wrong tracking info for wpa?

[Francesco Poli]

On Mon, 16 Oct 2017 23:17:01 +0200 Moritz Mühlenhoff wrote:

> On Mon, Oct 16, 2017 at 07:47:57PM +0200, Francesco Poli wrote:
> > Should I just trust my intuition and fix the version tracking info of
> > those three RC bugs, as said in my message?
> 
> Yes.

Done, thanks for your reply!   ;-)


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpEePPfjXqC7.pgp
Description: PGP signature

RC bugs with wrong tracking info for wpa?

[Francesco Poli]

Hello,
I see that a [NMU] has just been done in unstable for wpa, in order to
fix the vulnerabilities covered by DSA-3999-1.

[NMU]: <https://tracker.debian.org/news/879583>

Unfortunately wpa has three open RC bugs which appear to have incorrect
BTS version tracking info.
I [tried] to explain the situation and get confirmation about my guess,
but I haven't received any reply yet. 

[tried]: <https://bugs.debian.org/849122#65>

I am worried that apt-listbugs users (running Debian unstable or
testing) may have wpa pinned to a vulnerable version because of those
three RC bugs and won't get the security fixes, until the situation is
clarified.

What should I do, in your opinion?

Should I just trust my intuition and fix the version tracking info of
those three RC bugs, as said in my message?
Or otherwise, who could I contact in order to get confirmation for my
guess?


Thanks for you time and for any help you may provide.
 

-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpWMKZv5eW7N.pgp
Description: PGP signature

Bug#850728: security-tracker: DSA-3756-1 vs. tracker

[Francesco Poli]

On Mon, 9 Jan 2017 20:15:23 +0100 Moritz Muehlenhoff wrote:

> On Mon, Jan 09, 2017 at 06:27:01PM +, Luedtke, Nicholas (HPE Linux 
> Security) wrote:
> > It is indeed valid. It is not uncommon for the mitre list to take some time 
> > to catch up. The CVE ids are blocked to various CNAs leading to the 5000s 
> > being currently assigned. 
> 
> Indeeed, closing.

Thanks for clarifying.
I stand corrected, sorry for the noise!

Bye.


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgphhvxXzL48f.pgp
Description: PGP signature

Bug#850728: security-tracker: DSA-3756-1 vs. tracker

[Francesco Poli]

Package: security-tracker
Severity: normal

Hello everyone!

DSA-3756-1 [1] claims to talk about CVE-2017-5208 [2], but the CVE
official list seems to know nothing about it [3].
Actually, have *so many* vulnerabilities been already indexed in the
just started year 2017 ?!?

Is this a typo? Which is the correct CVE number?
Please clarify and fix the tracker data, as appropriate.

Thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2017/msg6.html
[2] https://security-tracker.debian.org/tracker/CVE-2017-5208
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5208

Bug#813878: security-tracker: DSA-3464-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi everyone!

DSA-3464-1 [1] states that several vulnerabilities are fixed in
rails/2:4.2.5.1-1 for sid, but the tracker claims that two of
them [2][3] are still unfixed in sid.

Is the DSA wrong or should the tracker data be updated?
Please clarify, thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2016/msg00034.html
[2] https://security-tracker.debian.org/tracker/CVE-2015-3226
[3] https://security-tracker.debian.org/tracker/CVE-2015-3227

Bug#803591: security-tracker: DSA-3381-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello everybody!

DSA-3381-1 [1] states that several vulnerabilities are fixed in
openjdk-7/7u85-2.6.1-5 for sid, but the tracker [2] claims that many
of those vulnerabilities are only fixed in openjdk-7/7u85-2.6.1-6 .
Is that a typo in the DSA or should the tracker data be updated?

Moreover the tracker claims [3] that one of the vulnerabilities
(CVE-2015-4871) is unfixed in sid.
Again: is the DSA wrong or should the tracker data be updated?

Please clarify, thanks for your time!


[1] https://lists.debian.org/debian-security-announce/2015/msg00280.html
[2] see links for CVE ids in
https://security-tracker.debian.org/tracker/DSA-3381-1
[3] https://security-tracker.debian.org/tracker/CVE-2015-4871

Bug#792050: security-tracker: DSA-330[67]-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi everybody!

The tracker pages [1][2] for DSA-3306-1 [3] and DSA-3307-1 [4]
do not seem to be linked with CVE-2015-1868 [5], which,
according to the tracker, seems to be fixed everywhere,
while the DSAs [3][4] seem to disagree.

Please fix the tracker data.

Thanks for your time!

[1] https://security-tracker.debian.org/tracker/DSA-3306-1
[2] https://security-tracker.debian.org/tracker/DSA-3307-1
[3] https://lists.debian.org/debian-security-announce/2015/msg00202.html
[4] https://lists.debian.org/debian-security-announce/2015/msg00203.html
[5] https://security-tracker.debian.org/tracker/CVE-2015-1868


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150710171544.3938.79032.reportbug@homebrew

Bug#789490: security-tracker: DSA-3290-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello!

DSA-3290-1 [1] states that CVE-2015-3636 is fixed in
linux/3.16.7-ckt11-1, but the tracker shows somewhat
self-inconsistent information about this vulnerability [2],
claiming that linux/3.16.7-ckt11-1 is fixed in jessie,
but vulnerable in stretch, despite being apparently the
same exact version.

Please clarify and/or fix the tracker data.

Thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2015/msg00186.html
[2] https://security-tracker.debian.org/tracker/CVE-2015-3636


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150621134619.11901.89739.reportbug@homebrew

Bug#788685: security-tracker: DSA-3288-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello!

There seems to be no tracker page [1] for DSA-3288-1 [2], yet.
Please update the tracker data.

Thanks for your time!

[1] https://security-tracker.debian.org/tracker/DSA-3288-1
[2] https://lists.debian.org/debian-security-announce/2015/msg00183.html


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150614090306.4210.85902.reportbug@homebrew

Bug#783491: security-tracker: document what needs to be done on releases and other archive changes

[Francesco Poli]

On Tue, 5 May 2015 06:49:32 +0200 Salvatore Bonaccorso wrote:

[...]
 https://security-tracker.debian.org/tracker/status/release/testing
 
 should look better now.

Yes, it seems to be much more plausible!   ;-)

Thanks a lot.

-- 
 http://www.inventati.org/frx/
 There's not a second to lose! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgp1oVS56wDsi.pgp
Description: PGP signature

Bug#783491: security-tracker: document what needs to be done on releases and other archive changes

[Francesco Poli]

On Fri, 1 May 2015 11:20:26 +0200 Francesco Poli wrote:

[...]
 The tracker situation still seems to be broken to me...

Still broken...

-- 
 http://www.inventati.org/frx/
 There's not a second to lose! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpXNCOIzIiXM.pgp
Description: PGP signature

Bug#783491: security-tracker: document what needs to be done on releases and other archive changes

[Francesco Poli]

On Mon, 27 Apr 2015 19:59:16 +0200 Holger Levsen wrote:

[..]
 On Montag, 27. April 2015, Francesco Poli wrote:
[...]
  I am asking since I still see a tracker situation inconsistent with the
  release of jessie.
 
 I'd suggest to let this post-release situation resolve itself a bit (eg I 
 also 
 see inconsistencies on packages.qa.d.o and tracker.d.o)
[...]
 and look at again at the security-tracker in a day or two.

The tracker situation still seems to be broken to me...


-- 
 http://www.inventati.org/frx/
 fsck is a four letter word...
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpop2iDCiFMg.pgp
Description: PGP signature

Bug#783491: security-tracker: document what needs to be done on releases and other archive changes

[Francesco Poli]

On Mon, 27 Apr 2015 15:07:34 +0200 Holger Levsen wrote:

[...]
 3fa31ab2a22a7e6db606899ca3ee6cb45a7884d1 / svnr33868 is commit showing what 
 needs to be done on upgrades

Hi Holger,
I am sorry to ask, but... is this commit supposed to be already live?

I am asking since I still see a tracker situation inconsistent with the
release of jessie.
For instance the testing [1] status page lists, among several other
vulnerabilities:

chromium-browserCVE-2015-1237   high**  yes fixed in 
testing-security

but the corresponding page [2] states that the security issue is fixed
in jessie (security), stretch, and sid.

[1] https://security-tracker.debian.org/tracker/status/release/testing
[2] https://security-tracker.debian.org/tracker/CVE-2015-1237

I am under the impression that the testing [1] status page is still
actually talking about jessie, rather than stretch...


-- 
 http://www.inventati.org/frx/
 fsck is a four letter word...
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgp1Fgqo6N2dm.pgp
Description: PGP signature

Bug#777458: security-tracker: DSA-3156-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi again,
DSA-3156-1 [1] states that CVE-2013-6933 is fixed in wheezy by
vlc/2.0.3-5+deb7u2+b1 and mplayer/2:1.0~rc4.dfsg1+svn34540-1+deb7u1 .
The CVE tracker page [2] seems to be unaware of these two fixed
versions for vlc and mplayer.

I don't know whether a binNMU can be correctly tracked, but I think
that at least the fixed version for mplayer should be tracked...

Please fix the tracker data.
Thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2015/msg00041.html
[2] https://security-tracker.debian.org/tracker/CVE-2013-6933


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150208114710.6021.77251.reportbug@homebrew

Bug#777454: security-tracker: DSA-3155-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello everybody,
there seems to be something weird going on.

The tracker page [1] for DSA-3155-1 [2] looks OK: it states
that the vulnerabilities are fixed in wheezy by
postgresql-9.1/9.1.15-0+deb7u1 (in agreement with the DSA itself).

On the other hand, the CVE tracker pages [3][4][5][6], despite
being linked to DSA-3155-1, disagree with it, claiming that wheezy
is still vulnerable.

I thought that this was not even possible in the tracker!
Apparently I was wrong...
What did I fail to understand?

Please fix the tracker data.
Thanks for your time!

[1] https://security-tracker.debian.org/tracker/DSA-3155-1
[2] https://lists.debian.org/debian-security-announce/2015/msg00038.html
[3] https://security-tracker.debian.org/tracker/CVE-2014-8161
[4] https://security-tracker.debian.org/tracker/CVE-2015-0241
[5] https://security-tracker.debian.org/tracker/CVE-2015-0243
[6] https://security-tracker.debian.org/tracker/CVE-2015-0244


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150208112454.5782.59087.reportbug@homebrew

Bug#777456: security-tracker: DSA-2978-2 vs. tracker

[Francesco Poli]

On Sun, 8 Feb 2015 13:58:36 +0100 Salvatore Bonaccorso wrote:

[...]
 The situation for the update in DSA-2978-2 is actually a bit
 complicated.
[...]

I see...

 So I would say (unless I now missed something) all the versions in
 tracker are correct (apart we should have delayed adding 2.9.1+dfsg1-5
 already, since it is not yet approved),

Yep, I agree.

[...]
 So I would tend to close this bug, right away, or wait until
 2.9.1+dfsg1-5 is accepted into jessie via t-p-u,

Please feel free to do as you prefer.
The tracker is not incorrect, it just talks about a not-yet-available
version...
I hope that version gets accepted soon into t-p-u.

 but unfortuantely the
 advisory text
 https://lists.debian.org/debian-security-announce/2015/msg00039.html
 in the list archives is now out this way.

The advisory text is indeed a bit misleading. It's unfortunate that it
cannot be easily fixed after publication...

Bye, and thanks for the explanation.


-- 
 http://www.inventati.org/frx/
 fsck is a four letter word...
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpFEUiEOb9gF.pgp
Description: PGP signature

Bug#776718: security-tracker: DSA-3146-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello,
the tracker page [1] for DSA-3146-1 [2] seems to lack the links to
the relevant CVEs [3][4].

Please update the tracker data.
Thanks for your time.

[1] https://security-tracker.debian.org/tracker/DSA-3146-1
[2] https://lists.debian.org/debian-security-announce/2015/msg00029.html
[3] https://security-tracker.debian.org/tracker/CVE-2014-1829
[4] https://security-tracker.debian.org/tracker/CVE-2014-1830


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150131161135.7270.9048.reportbug@homebrew

Bug#776224: security-tracker: DSA-3139-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello everybody,
the tracker page [1] for DSA-3139-1 [2] seems to lack the link to
CVE-2014-3609 [3].

Please fix the tracker data.
Thanks for your time!


[1] https://security-tracker.debian.org/tracker/DSA-3139-1
[2] https://lists.debian.org/debian-security-announce/2015/msg00022.html
[3] https://security-tracker.debian.org/tracker/CVE-2014-3609


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150125170623.11108.63841.reportbug@homebrew

Bug#773322: security-tracker: DSA-3104-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello!

DSA-3104-1 [1] states, in part:

|  An older security vulnerability, CVE-2004-2771, had already
|  been addressed in the Debian's bsd-mailx package.

However, the tracker [2] seems to disagree, as it claims that
all versions of bsd-mailx in Debian are currently vulnerable...
I think the problem is an extra epoch in the (unstable) fixed
version for bsd-mailx: this time the epoch is in the tracker data,
but not in the actual package versions (contrary to the usual
missing epoch issues that I frequently spot!).

Please fix the tracker data.
Thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2014/msg00294.html
[2] https://security-tracker.debian.org/tracker/CVE-2004-2771


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141216215002.4796.83564.reportbug@homebrew

Bug#773100: security-tracker: DSA-3100-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi all!

DSA-3100-1 [1] seems to lack an epoch in the stable fixed version.
The tracker reflects the DSA [2]: please fix the tracker data!

Thanks for your time.

[1] https://lists.debian.org/debian-security-announce/2014/msg00290.html
[2] https://security-tracker.debian.org/tracker/DSA-3100-1


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141214104214.4074.38850.reportbug@homebrew

Bug#772775: security-tracker: DSA-3095-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello!

It seems to me that DSA-3095-1 [1] lacks an epoch in the stable fixed
version.
The tracker reflects the DSA [2]: please fix the tracker data!

Thanks for your time.

[1] https://lists.debian.org/debian-security-announce/2014/msg00285.html
[2] https://security-tracker.debian.org/tracker/DSA-3095-1


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141210225940.10639.93177.reportbug@homebrew

Bug#771121: security-tracker: often returns 502 Proxy Error

[Francesco Poli]

On Sat, 29 Nov 2014 11:41:09 +0100 Florian Weimer wrote:

 * Francesco Poli:
 
  I have been experiencing frequent issues with the web interface of the
  security tracker for some weeks
[...]
 I think I may have fixed this in r30431, at least for the time being.

Hi Florian!

It indeed seems to work flawlessly now.
Thanks a lot!   :-)

[...]
 The fix is only temporary because at a certain point, broken bots
 scraping information from the HTML pages may overload the server
 again. There are several of them requesting the same CVE page again
 and again, but it's difficult tell what's actually going because of
 the privacy-enhanced logging.

One of the bots scraping information from the tracker HTML pages is
actually a script that I manually run once a day (or less)...   :-/
It just requests three tracker pages and does everything else locally,
hence I hope it does not cause any significant overload.

I use it to update a graphical plot of the number of open
vulnerabilities (in unstable, testing, and stable) versus time.
I tried to propose its integration into the tracker in the past, but
apparently there was not enough interest, so I went on running it by
myself.


Bye and thanks again for fixing the tracker proxy error issue!


-- 
 http://www.inventati.org/frx/
 fsck is a four letter word...
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpJy4oYZdOSM.pgp
Description: PGP signature

Bug#771121: security-tracker: often returns 502 Proxy Error

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: important

Hello everybody!

I have been experiencing frequent issues with the web interface of the
security tracker for some weeks and I am still experiencing them:
when visiting the tracker pages [1], I often get the following error
message in my browser:

| Proxy Error
| 
| The proxy server received an invalid response from an upstream server.
| The proxy server could not handle the request GET /tracker/DSA-3077-1.
| 
| Reason: Error reading from remote server
| 
| Apache Server at security-tracker.debian.org Port 443

After a (variable) number of attempts, the web server finally decides
that the page is to be served and everything seems to work fine, until
another error message appears when visiting some other page.

Am I the only one who experiences such issues?
I was hoping to see the problem fixed, but no joy yet...

Could someone please investigate the issue and fix it?
Thanks a lot for your time!

Bye.


[1] such as, for instance,
https://security-tracker.debian.org/tracker/DSA-3077-1


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141126225626.9367.40214.reportbug@homebrew

Bug#767654: security-tracker: DSA-3061-1 vs. tracker

[Francesco Poli]

Control: reopen -1


On Sun, 2 Nov 2014 15:28:40 +0100 Salvatore Bonaccorso wrote:

 Hi Francesco,

Hi Salvatore!

 
 On Sat, Nov 01, 2014 at 06:32:03PM +0100, Francesco Poli (wintermute) wrote:
[...]
  Please update the tracker data.
  Thanks for your time!
 
 Thanks too! I have fixed the tracker information now.

Good, except that I {don't|no longer} see the reference to
CVE-2014-1583 on the tracker...
I am thus reopening the bug report.

Unless this is mistake in the DSA, please add the link (between
DSA-3061-1 and CVE-2014-1583) to the tracker.

Thanks!


-- 
 http://www.inventati.org/frx/
 fsck is a four letter word...
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpcS2cVEZJb5.pgp
Description: PGP signature

Bug#767654: security-tracker: DSA-3061-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi all!
DSA-3061-1 [1] states that several vulnerabilities are fixed in sid
by icedove/31.2.0-1, but the tracker [2] seems to disagree (claiming
that sid is still unfixed).

[1] https://lists.debian.org/debian-security-announce/2014/msg00249.html
[2] https://security-tracker.debian.org/tracker/DSA-3061-1

Please update the tracker data.
Thanks for your time!

Bye.


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141101173203.13774.16539.reportbug@homebrew

Bug#755949: security-tracker: DSA-2986-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi all!
DSA-2986-1 [1] states that a number of vulnerabilities are fixed in sid
by iceweasel/31.0-1, but the tracker [2] seems to disagree for
CVE-2014-1544 (which is claimed to still affect sid).

[1] https://lists.debian.org/debian-security-announce/2014/msg00168.html
[2] https://security-tracker.debian.org/tracker/CVE-2014-1544

Please update the tracker.
Thanks for your time!

Bye.


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140724200156.7464.97365.reportbug@homebrew

Bug#755800: Acknowledgement (bogus urgency field from security-tracker)

[Francesco Poli]

On Wed, 23 Jul 2014 15:51:35 +0200 Holger Levsen wrote:

[...]
 Hi,

Hi Holger!

 
 looking at
 https://security-tracker.debian.org/tracker/status/release/oldstable
 (unstable too) it seems to 
 me the urgency field is rather unused, for oldstable all entries are either 
 low or not yet assigned (unstable has one high urgency entry, while way 
 more 
 in reality), so I'd like to propose to remove this field completly as it's 
 confusing and irrelevant.

Well, I don't know whether it is indeed unused.

To be honest, I was hoping it was used and filled with relevant values
whenever possible!
If this is not the case, I would encourage the security tracker users to
set this field with significant values, so that readers may get an
approximate idea about the gravity of the various vulnerabilities...


-- 
 http://www.inventati.org/frx/
 fsck is a four letter word...
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpBa6iNa4l4k.pgp
Description: PGP signature

Bug#752110: security-tracker: DSA-2962-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello everybody!
DSA-2962-1 [1] states that CVE-2014-1545 is fixed in sid by
nspr/2:4.10.6-1, but the tracker [2] seems to disagree (it currenctly
claims that sid is still vulnerable).

[1] https://lists.debian.org/debian-security-announce/2014/msg00143.html
[2] https://security-tracker.debian.org/tracker/CVE-2014-1545

Please update the tracker data.
Thanks for your time!

Bye.


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140619172018.4540.77449.reportbug@homebrew

Bug#749082: security-tracker: DSA-2935-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello all!
It seems to me that the tracker data [1] for DSA-2935-1 [2] misses
an epoch in the wheezy fixed version of package libgadu.

[1] https://security-tracker.debian.org/tracker/DSA-2935-1
[2] https://lists.debian.org/debian-security-announce/2014/msg00116.html

Please fix the tracker data.
Bye and thanks for your time!


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140523211515.8488.35387.reportbug@homebrew

Bug#743246: security-tracker: DSA-2893-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello again!
The tracker data [1] for DSA-2893-1 [2] seems to miss an epoch for both
fixed versions of package openswan.

[1] https://security-tracker.debian.org/tracker/DSA-2893-1
[2] https://lists.debian.org/debian-security-announce/2014/msg00067.html

Please fix the data: thanks for your time!
Bye.


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140331210049.7671.78903.reportbug@homebrew

Bug#743046: security-tracker: DSA-2891-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello!
The tracker data [1] for DSA-2891-1 [2] seems to miss an epoch for the
wheezy fixed version of package mediawiki.

[1] https://security-tracker.debian.org/tracker/DSA-2891-1
[2] https://lists.debian.org/debian-security-announce/2014/msg00064.html

Please fix the data.
Thanks for your time!

Bye.


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140330130947.4598.58763.reportbug@homebrew

Bug#738584: security-tracker: DSA-2858-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello all,
DSA-2858-1 [1] states that several vulnerabilities have been fixed
in sid by iceweasel/24.3.0esr-1, but the tracker disagrees for
two of them [2][3] (the tracker claims that sid is still vulnerable).

[1] https://lists.debian.org/debian-security-announce/2014/msg00028.html
[2] https://security-tracker.debian.org/tracker/CVE-2014-1490
[3] https://security-tracker.debian.org/tracker/CVE-2014-1491

Please clarify and/or update the tracker data.
Thanks for your time!


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140210205719.6107.79674.reportbug@homebrew

About testing security team [was: Re: Bug#683986: marked as done (security-tracker: automated testing announcement emails)]

[Francesco Poli]

On Sat, 08 Feb 2014 11:53:50 +0100 Moritz Mühlenhoff wrote:

[...]
 there's no longer a testing security team
[...]

Hello Moritz,
could you please clarify?

Do you mean that the testing security team was merged with the (stable)
security team?
Or something else?

I still see

  http://testing-security.debian.net/
  https://alioth.debian.org/projects/secure-testing/

They do not seem to have been shut down...


Thanks for your time.


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpmnQ9fy1mt5.pgp
Description: PGP signature

Re: About testing security team [was: Re: Bug#683986: marked as done (security-tracker: automated testing announcement emails)]

[Francesco Poli]

On Sat, 8 Feb 2014 12:46:27 +0100 Moritz Mühlenhoff wrote:

 On Sat, Feb 08, 2014 at 12:09:49PM +0100, Francesco Poli wrote:
  On Sat, 08 Feb 2014 11:53:50 +0100 Moritz Mühlenhoff wrote:
  
  [...]
   there's no longer a testing security team
  [...]
  
  Hello Moritz,
  could you please clarify?
  
  Do you mean that the testing security team was merged with the (stable)
  security team?
  Or something else?
 
 There's no longer anyone actively building fixed packages for 
 testing-security.
 Fixed packages still transition to testing, but that's about it.

Thanks for the clarification.

  
  I still see
  
http://testing-security.debian.net/
 
 I'll update the website to remove the outdated information.

Good, thanks for being willing to do so!

Bye.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpZOPOPA_5wW.pgp
Description: PGP signature

Bug#738202: security-tracker: DSA-2856-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello,
DSA-2856-1 [1] states that CVE-2014-0050 is fixed in oldstable and
stable security updates for libcommons-fileupload-java.

[1] https://lists.debian.org/debian-security-announce/2014/msg00026.html

The tracker seems to agree on its DSA page [2], but seems to miss the
link with the CVE. As a consequence the CVE page [3] still shows
libcommons-fileupload-java as vulnerable in oldstable (security) and
stable (security)...

[2] https://security-tracker.debian.org/tracker/DSA-2856-1
[3] https://security-tracker.debian.org/tracker/CVE-2014-0050

Please update the tracker data accordingly.

Thanks for your time!
Bye.


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140208161009.6693.75010.reportbug@homebrew

Bug#735939: security-tracker: DSA-2846-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello everybody,
DSA-2846-1 [1] says that two vulnerabilities have been fixed in sid
by libvirt/1.2.1-1 .

The tracker seems to agree for CVE-2014-1447, but not for
CVE-2013-6458, which is claimed to be still present in sid [2].

I think the tracker data should be updated.
Thanks for your time!


[1] https://lists.debian.org/debian-security-announce/2014/msg00015.html
[2] https://security-tracker.debian.org/tracker/CVE-2013-6458


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140118211752.8092.79157.reportbug@homebrew

Bug#732575: security-tracker: DSA-2822-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi all!
It seems to me that the squeeze and wheezy fixed versions of
xorg-server are missing an epoch in DSA-2822-1 [1][2].

[1] https://lists.debian.org/debian-security-announce/2013/msg00236.html
[2] https://security-tracker.debian.org/tracker/DSA-2822-1

Please fix the tracker data.
Thanks a lot for your time!

Bye.


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131218224552.7217.19089.reportbug@homebrew

Bug#721660: security-tracker: DSA-2749-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi all,
it seems to me that there's a missing epoch in the wheezy fixed version
of asterisk for DSA-2749-1 [1][2].

[1] https://lists.debian.org/debian-security-announce/2013/msg00160.html
[2] https://security-tracker.debian.org/tracker/DSA-2749-1

Please fix the tracker data.
Thanks for your time!


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130902203457.9624.51456.reportbug@homebrew

Bug#718170: security-tracker: DSA-2728-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello everybody,
it seems to me that there is no tracker page [1] for DSA-2728-1 [2].

Please update the tracker.
Thanks for your time.

[1] https://security-tracker.debian.org/tracker/DSA-2728-1
[2] https://lists.debian.org/debian-security-announce/2013/msg00138.html


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130728101533.10496.40073.reportbug@homebrew

Bug#717103: security-tracker: DSA-2722-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi,
DSA-2722-1 [1] says that many vulnerabilities have been fixed for
sid in openjdk-7/7u25-2.3.10-1 .

The tracker seems to agree for all the vulnerabilities but CVE-2013-2454,
which is claimed to be still present in sid [2].
Is that an oversight?

Please clarify and/or update the tracker data.
Thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2013/msg00132.html
[2] https://security-tracker.debian.org/tracker/CVE-2013-2454


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130716203846.11985.65080.reportbug@homebrew

Bug#710056: security-tracker: some release pages fail to display with Proxy Error

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: important

Hello everybody.
I've just noticed that some release pages no longer work and return
a Proxy Error instead.
For instance:
https://security-tracker.debian.org/tracker/status/release/unstable?show_undetermined_urgency=1

currently displays:

| Proxy Error
| 
| The proxy server received an invalid response from an upstream server.
| The proxy server could not handle the request GET 
/tracker/status/release/unstable.
| 
| Reason: Error reading from remote server
| 
| Apache Server at security-tracker.debian.org Port 443

Other similar release pages (with URL parameters) suffer from the same
issue.

What's wrong?
Could you please investigate and fix this issue?

Thanks a lot for your time!


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130527220950.5910.60676.reportbug@homebrew

Bug#709893: security-tracker: DSA-2692-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello,
DSA-2692-1 [1] says that CVE-2013-2001 has been fixed for sid in
libxxf86vm/1:1.1.2-1+deb7u1 .

On the other hand, the tracker [2] seems to disagree: it currently
claims that the fixed version for unstable is 2:1.1.3-2+deb7u1 ...
Is that a typo?

Please clarify and/or update the tracker data.
Thanks for your time!


[1] https://lists.debian.org/debian-security-announce/2013/msg00100.html
[2] https://security-tracker.debian.org/tracker/CVE-2013-2001


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130526144643.13361.25161.reportbug@homebrew

Bug#709894: security-tracker: DSA-2694-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello again,
there seems to be no tracker page [1] for DSA-2694-1 [2].

Please update the tracker data.
Thanks again for your time!

[1] https://security-tracker.debian.org/tracker/DSA-2694-1
[2] https://lists.debian.org/debian-security-announce/2013/msg00103.html


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130526144850.13418.58347.reportbug@homebrew

Bug#700115: security-tracker: DSA-2618-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello,
it seems to me that an epoch is missing from the squeeze fixed version
of package ircd-hybrid in the tracker page [1] for DSA-2618-1 [2].

Please fix the tracker data.
Thanks for your time!

[1] https://security-tracker.debian.org/tracker/DSA-2618-1
[2] https://lists.debian.org/debian-security-announce/2013/msg00022.html

P.S.: to be precise, the epoch seems to be missing from the actual
  DSA too, but that is not going to be fixed, I guess...
  


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130208213702.5557.90246.reportbug@homebrew

Bug#699605: security-tracker: DSA-2614-1,DSA-2615-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi all,
DSA-2614-1 [1] and DSA-2615-1 [2] state that several vulnerabilities
have been fixed in sid by libupnp/1:1.6.17-1.2 and by
libupnp4/1.8.0~svn20100507-1.2 .
However, the tracker seems to disagree [3][4][5][6][7][8][9][10]
(it still claims that unstable is unfixed).

Please update the tracker data.
Thanks for your time!

 [1] https://lists.debian.org/debian-security-announce/2013/msg00018.html
 [2] https://lists.debian.org/debian-security-announce/2013/msg00019.html
 [3] https://security-tracker.debian.org/tracker/CVE-2012-5958
 [4] https://security-tracker.debian.org/tracker/CVE-2012-5959
 [5] https://security-tracker.debian.org/tracker/CVE-2012-5960
 [6] https://security-tracker.debian.org/tracker/CVE-2012-5961
 [7] https://security-tracker.debian.org/tracker/CVE-2012-5962
 [8] https://security-tracker.debian.org/tracker/CVE-2012-5963
 [9] https://security-tracker.debian.org/tracker/CVE-2012-5964
[10] https://security-tracker.debian.org/tracker/CVE-2012-5965


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130202114838.4762.75273.reportbug@homebrew

Bug#694663: security-tracker: DSA-2578-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello,
although DSA-2578-1 [1] has been recently issued, the tracker
still seems to be unaware of it [2].

Please update the tracker data.

Thanks!


[1] https://lists.debian.org/debian-security-announce/2012/msg00221.html
[2] http://security-tracker.debian.org/tracker/DSA-2578-1


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121128201015.6112.79320.reportbug@homebrew

Re: Where is typo3-src/4.3.9+dfsg1-1+squeeze7 ?

[Francesco Poli]

On Sat, 17 Nov 2012 17:51:01 +0100 Nico Golde wrote:

[...]
 The files are there now. Thank you for contacting us!

Thanks to you for fixing the issue!
Bye.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpWtZF5pylqq.pgp
Description: PGP signature

Bug#690807: security-tracker: DSA-2559-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi all,
DSA-2559-1 [1] was issued, but the tracker seems to know nothing
about it [2] yet.

Please update the tracker data.

Thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2012/msg00203.html
[2] http://security-tracker.debian.org/tracker/DSA-2559-1


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121017195308.20540.6602.reportbug@homebrew

Bug#685843: security-tracker: DSA-2533-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello,
DSA-2533-1 [1] states that four vulnerabilities are fixed in sid
by pcp/3.6.5
The tracker [2][3][4][5] seems to disagree.

Please update the tracker data.
Thanks for your time!


[1] https://lists.debian.org/debian-security-announce/2012/msg00174.html
[2] http://security-tracker.debian.org/tracker/CVE-2012-3418
[3] http://security-tracker.debian.org/tracker/CVE-2012-3419
[4] http://security-tracker.debian.org/tracker/CVE-2012-3420
[5] http://security-tracker.debian.org/tracker/CVE-2012-3421


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120825093456.4570.17108.reportbug@homebrew

Bug#685280: security-tracker: DSA-2531-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello,
DSA-2531-1 has been recently issued [1], but the corresponding tracker
page [2] is basically empty.

Please update the tracker data.
Thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2012/msg00172.html
[2] http://security-tracker.debian.org/tracker/DSA-2531-1


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120819094126.13594.73423.reportbug@lilith

Bug#683916: security-tracker: DSA-2520-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello!

DSA-2520-1 [1] and the corresponding tracker page [2] state that
CVE-2012-2665 has been fixed in stable by
openoffice.org/3.2.1-11+squeeze7.
I believe that an epoch is missing, since the version number
of the openoffice.org package currently in stable is already
1:3.2.1-11+squeeze4.

Please update the tracker data.

Thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2012/msg00160.html
[2] http://security-tracker.debian.org/tracker/DSA-2520-1


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120805124226.6023.69669.reportbug@homebrew

Bug#683921: security-tracker: DSA-2519-2 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi!

DSA-2519-2 has been issued [1], stating that the previously
announced security patches were not really applied to
isc-dhcp/4.1.1-P1-15+squeeze5, an issue that has been fixed
in isc-dhcp/4.1.1-P1-15+squeeze6.

[1] https://lists.debian.org/debian-security-announce/2012/msg00161.html

Hence, it is my understanding that isc-dhcp/4.1.1-P1-15+squeeze5
is still vulnerable to CVE-2011-4539, CVE-2012-3571, and CVE-2012-3954,
while isc-dhcp/4.1.1-P1-15+squeeze6 is fixed.

On the other hand, the tracker still seems to consider
isc-dhcp/4.1.1-P1-15+squeeze5 as fixed, and shows no trace of
DSA-2519-2 (the corresponding tracker page [2] still redirects
to the one for DSA-2519-1).

[2] http://security-tracker.debian.org/tracker/DSA-2519-2

Please update the tracker data.

Thanks again for your time!


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120805125126.6203.92101.reportbug@homebrew

Bug#683922: security-tracker: DSA-2521-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello!

DSA-2521-1 [1] has been recently issued, but the tracker [2] seems to be
still unaware of it.

Please update the tracker data.

Thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2012/msg00162.html
[2] http://security-tracker.debian.org/tracker/DSA-2521-1


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120805125715.6424.81946.reportbug@homebrew

The tracker is no longer updated

[Francesco Poli]

Hi everybody (again)!

As you already know, I've just filed three bug reports (#683916,
#683921, and #683922) that were immediately closed, since the tracker
data are already correct.

On the other hand, the web presentation of the tracker data seems to no
longer get updates from the subversion repository, as noted by
Yves-Alexis Perez.

Please fix the updating mechanism for the web presentation of the
security tracker!


P.S.: should I file an actual bug report for this issue, or does this
message to the mailing list suffice?

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpXGRCLHWkbz.pgp
Description: PGP signature

Bug#681524: closed by Michael Gilbert mgilb...@debian.org (Re: Bug#681524: security-tracker: DSA-2511-1 vs. tracker)

[Francesco Poli]

On Tue, 17 Jul 2012 01:09:03 + Debian Bug Tracking System wrote:

 On Fri, Jul 13, 2012 at 5:28 PM, Francesco Poli (wintermute) wrote:
[...]
  DSA-2511-1 [...] says that CVE-2012-386[4-7] are fixed in sid by
  puppet/2.7.18-1, but the tracker seems to disagree
[...]
 
 Tracker data has been corrected.  Thanks!
 Mike

Thanks to you.

But is CVE-2012-3408 also fixed in squeeze (security) and sid?
The DSA does not mention it and I cannot find it in the changelogs.

I assume the tracker is right, but it looks strange that CVE-2012-3408
is associated with DSA-2511-1, while the DSA itself does not mention
CVE-2012-3408...

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpvR2qBAvCgi.pgp
Description: PGP signature

Bug#681524: security-tracker: DSA-2511-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi!

DSA-2511-1 [1] says that CVE-2012-386[4-7] are fixed in sid by
puppet/2.7.18-1, but the tracker seems to disagree [2].

I suppose the DSA is right: if this is the case, please update
the tracker data.
Thanks for your time!


[1] https://lists.debian.org/debian-security-announce/2012/msg00149.html
[2] http://security-tracker.debian.org/tracker/CVE-2012-3864 and so forth



-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120713212855.6556.74354.reportbug@homebrew

Re: Question: where is zendframework/1.11.12-1

[Francesco Poli]

On Wed, 04 Jul 2012 09:06:35 +0200 Frank Habermann wrote:

[...]
 Hi folks,

Hello!

 
  Package: zendframework
[...]
 Package is now uploaded by my sponsor.

Thanks to you and to your sponsor!

Now, I hope you succeed in requesting and obtaining a freeze
exception...

Bye.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgplofO6iqjZP.pgp
Description: PGP signature

Question: where is zendframework/1.11.12-1

[Francesco Poli]

Hello everybody,
there's something unclear to me.

DSA-2505-1 [1] states that CVE-2012-3363 is fixed in unstable by
zendframework/1.11.12-1 and the tracker seems to agree [2].

[1] https://lists.debian.org/debian-security-announce/2012/msg00145.html
[2] http://security-tracker.debian.org/tracker/CVE-2012-3363

Good, but... where in the world is zendframework/1.11.12-1 ?

The DSA was issued on last Friday.
Nonetheless, it seems that zendframework/1.11.12-1 has not yet
materialized:

$ rmadison zendframework
 zendframework | 1.10.6-1 | squeeze  | source, all
 zendframework | 1.10.6-1squeeze1 | squeeze-p-u  | source, all
 zendframework | 1.10.6-1squeeze1 | squeeze-security | source, all
 zendframework | 1.11.11-1| wheezy   | source, all
 zendframework | 1.11.11-1| sid  | source, all


Is there anything obvious that I am overlooking?
Could you please explain?

Thanks for your time.


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgphYkeJ5oCLJ.pgp
Description: PGP signature

Bug#679563: security-tracker: DSA-2503-1 vs. tracker

[Francesco Poli]

On Fri, 29 Jun 2012 21:41:46 +0200 Florian Weimer wrote:

 * Francesco Poli:
 
  DSA-2503-1 [1] states that CVE-2012-3366 is fixed in sid by
  bcfg2/1.2.2-2, but the tracker [2] seems to disagree.
 
  I think that the DSA is probably right, since the BTS seems to
  tell the same story [3].
 
 Thanks, fixed.

Thanks to you!   :-)

 
 Would you be willing to fix these issues on your own, now that
 Subversion 1.7 (which is licensed under the Apache License 2.0) has
 entered the archive?

Thanks for the offer, I will think about it.
It cannot happen now, but it *could* happen in the future...

Bye.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpDGjTGhBwy9.pgp
Description: PGP signature

Bug#679563: security-tracker: DSA-2503-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello everybody!

DSA-2503-1 [1] states that CVE-2012-3366 is fixed in sid by
bcfg2/1.2.2-2, but the tracker [2] seems to disagree.

I think that the DSA is probably right, since the BTS seems to
tell the same story [3].

Please update the tracker data.
Thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2012/msg00143.html
[2] http://security-tracker.debian.org/tracker/CVE-2012-3366
[3] http://bugs.debian.org/679272



-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120629192750.4649.70065.reportbug@homebrew

Bug#669286: security-tracker: DSA-2453-1 vs. tracker

[Francesco Poli]

On Mon, 23 Apr 2012 19:26:35 +0200 Moritz Mühlenhoff wrote:

 On Wed, Apr 18, 2012 at 09:24:28PM +0200, Francesco Poli (wintermute) wrote:
  Package: security-tracker
  Severity: normal
  
  Hello,
  DSA-2453-1 [1] states that three vulnerabilities are fixed in
  wheezy and sid by gajim/0.15-1, but the tracker seems to disagree
  regarding CVE-2012-2093 [2], which is still considered as unfixed
  in gajim/0.15-1 ...
  
  Please update the tracker data, as appropriate.
  Thanks for your time!
 
 This bug is still unfixed in sid, see #668710.

Thank you for your kind reply.

This means that the DSA was imprecise, doesn't it?
If this is the case, well, sorry for the noise: this bug report
(#669286) may be safely closed. Please do so, if my conclusions are
correct.

Thanks for your time.


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpDEDOaHxriy.pgp
Description: PGP signature

Bug#669286: security-tracker: DSA-2453-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello,
DSA-2453-1 [1] states that three vulnerabilities are fixed in
wheezy and sid by gajim/0.15-1, but the tracker seems to disagree
regarding CVE-2012-2093 [2], which is still considered as unfixed
in gajim/0.15-1 ...

Please update the tracker data, as appropriate.
Thanks for your time!

[1] https://lists.debian.org/debian-security-announce/2012/msg00083.html
[2] http://security-tracker.debian.org/tracker/CVE-2012-2093



-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120418192428.14551.17631.reportbug@homebrew

tracker not seeing security updates for stable?

[Francesco Poli]

Hello everybody,
it seems to me that the tracker stopped fetching info about package
versions in squeeze (security).

Examples:
http://security-tracker.debian.org/tracker/DSA-2441-1
http://security-tracker.debian.org/tracker/DSA-2442-1
http://security-tracker.debian.org/tracker/DSA-2443-1

What's wrong?
Is there anything that needs to be fixed?

Please fix the tracker updating mechanism and/or clarify.
Thanks for your time!


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpsqFGU8XoIW.pgp
Description: PGP signature

Bug#658545: security-tracker: DSA-2401-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello!

DSA-2401-1 [1] claims that a number of referenced vulnerabilities
are fixed in sid by tomcat6/6.0.35-1
However, two vulnerabilities (CVE-2011-3190 [2] and CVE-2011-4858 [3])
out of the 10 referenced ones are shown as not fixed in sid and wheezy
on the tracker.

Is the DSA wrong or is the tracker incorrect?
In the latter case, please fix the tracker data.
Otherwise, please clarify.

Thanks for your time!

[1] http://lists.debian.org/debian-security-announce/2012/msg00025.html
[2] http://security-tracker.debian.org/tracker/CVE-2011-3190
[3] http://security-tracker.debian.org/tracker/CVE-2011-4858



-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120203214653.7694.54376.reportbug@homebrew

Bug#657648: security-tracker: DSA-2394-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hello!

The tracker page [1] for DSA-2394-1 [2] seems to be almost empty.
Please fix the tracker data.

Thanks for your time!

[1] http://security-tracker.debian.org/tracker/DSA-2394-1
[2] http://lists.debian.org/debian-security-announce/2012/msg00018.html



-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120127180547.3287.10418.reportbug@homebrew

Bug#655960: security-tracker: DSA-2388-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi!

The tracker page [1] for DSA-2388-1 [2] looks OK, but some of the
referenced CVE tracker pages [3][4] claim that t1lib/5.1.2-3.3 is still
vulnerable in wheezy and sid, while the DSA [2] claims that all the
CVEs are fixed in wheezy and sid by t1lib/5.1.2-3.3 ...

Assuming that the DSA is right and the tracker is wrong, please
fix this inconsistency.

Thanks for your time!

[1] http://security-tracker.debian.org/tracker/CVE-2010-2642
[2] http://lists.debian.org/debian-security-announce/2012/msg00011.html
[3] http://security-tracker.debian.org/tracker/CVE-2010-2642
[4] http://security-tracker.debian.org/tracker/CVE-2011-0433



-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120115115354.7889.27573.reportbug@homebrew

Bug#655960: security-tracker: DSA-2388-1 vs. tracker

[Francesco Poli]

On Sun, 15 Jan 2012 13:42:50 +0100 Yves-Alexis Perez wrote:

 On dim., 2012-01-15 at 12:53 +0100, Francesco Poli (wintermute) wrote:
[...]
  Assuming that the DSA is right and the tracker is wrong, please
  fix this inconsistency.
[...]
 
 You're perfectly right, wheezy/sid doesn't have a fix for 2011-0433 and
 2010-2642, for some reason.

Ah, so it was the opposite of what I thought: the tracker was right,
while the DSA was wrong!

 I'm gonna prepare another NMU and an errata
 for the DSA.

Great!
I am happy to see things getting fixed up!   ;-)

 
 Regards,

Bye, and thanks a lot for your much appreciated dedication to security!


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpA5bT63t8UT.pgp
Description: PGP signature

Bug#653278: security-tracker: DSA-237[23]-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi!

There seem to be no tracker pages [1][2] for DSA-2372-1 [3] or for
DSA-2373-1 [4].

Please update the tracker data.
Thanks for your time!

[1] http://security-tracker.debian.org/tracker/DSA-2372-1
[2] http://security-tracker.debian.org/tracker/DSA-2373-1
[3] http://lists.debian.org/debian-security-announce/2011/msg00251.html
[4] http://lists.debian.org/debian-security-announce/2011/msg00252.html



-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20111226114410.5646.90451.reportbug@homebrew

Bug#650929: security-tracker: DSA-2357-1 vs. tracker

[Francesco Poli]

On Mon, 05 Dec 2011 13:16:41 +0100 Yves-Alexis Perez wrote:

 On dim., 2011-12-04 at 16:00 +0100, Francesco Poli wrote:
[...]
  The situation has improved significantly since I reported the
  inconsistency.
  Thanks a lot to whoever (silently) updated the tracker, if anyone
  actually did it.
 
 Actually I didn't see your mail, but fixed the issue meanwhile.

Great!
I love it when bugs get fixed even before a bug report manages to reach
the involved people!   ;-)

  
  Just to nitpick a little, there's a final detail to fix: the DSA says
  that three vulnerabilities (out of four) are already fixed for stable in
  evince/2.30.3-2, while only the fourth vulnerability (CVE-2010-2642) is
  unfixed in evince/2.30.3-2 and fixed in evince/2.30.3-2+squeeze1 .
  There seems to be no trace of this distinction on the tracker.
 
 Yeah, and I don't know why, since in the source file the 3 CVEs are
 marked as fixed by 2.30.3-2.

I am not sure: maybe because it's marked as fixed in (unstable) ?
An additional entry for the stable fixed version is perhaps needed...

  
  Please fix this last detail, if possible.
  Again, thanks for your time.
  
 I've requested some help for other team member, will keep you posted.

Good, I hope it's not too tricky to get this thing right!

Bye.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpO78omcAlmF.pgp
Description: PGP signature

Bug#650929: security-tracker: DSA-2357-1 vs. tracker

[Francesco Poli]

On Sun, 04 Dec 2011 12:19:46 +0100 Francesco Poli (wintermute) wrote:

[...]
 Hi!
 It seems to me that the tracker page [1] for DSA-2357-1 [2] is
 fairly incomplete.
[...]
 [1] http://security-tracker.debian.org/tracker/DSA-2357-1
 [2] http://lists.debian.org/debian-security-announce/2011/msg00235.html

The situation has improved significantly since I reported the
inconsistency.
Thanks a lot to whoever (silently) updated the tracker, if anyone
actually did it.

Just to nitpick a little, there's a final detail to fix: the DSA says
that three vulnerabilities (out of four) are already fixed for stable in
evince/2.30.3-2, while only the fourth vulnerability (CVE-2010-2642) is
unfixed in evince/2.30.3-2 and fixed in evince/2.30.3-2+squeeze1 .
There seems to be no trace of this distinction on the tracker.

Please fix this last detail, if possible.
Again, thanks for your time.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpcyj7oS9QDY.pgp
Description: PGP signature

Bug#649011: security-tracker: DSA-2346-1 vs. tracker

[Francesco Poli]

On Thu, 17 Nov 2011 15:18:59 +0100 Nico Golde wrote:

[...]
 Thanks for the report! Fixed.

You're welcome.
Everything's fine now, except that the DSA says that lenny is not
affected by CVE-2011-4130, while the tracker disagrees...



-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgp7PuTLsiMv1.pgp
Description: PGP signature

Bug#646217: security-tracker: DSA-2324-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi,
DSA-2324-1 [1] states that wireshark/1.6.2-1 fixes CVE-2011-3360
in sid.
However, the tracker page for the CVE [2] seems to ignore this
fact.

Assuming the DSA is correct, please update the tracker data.
Thanks for your time.

[1] http://lists.debian.org/debian-security-announce/2011/msg00200.html
[2] http://security-tracker.debian.org/tracker/CVE-2011-3360



-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20111022105230.3697.79186.reportbug@homebrew

Bug#643901: security-tracker: DSA-2313-1 vs. tracker

[Francesco Poli (wintermute)]

Package: security-tracker
Severity: normal

Hi!

It seems that there's no tracker page [1] for DSA-2313-1 [2], yet.
Please update the tracker data.

Thanks for your time.

[1] http://security-tracker.debian.org/tracker/DSA-2313-1
[2] http://lists.debian.org/debian-security-announce/2011/msg00190.html



-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110930165237.3774.22337.reportbug@homebrew

Bug#642259: marked as done (security-tracker: DSA-2305-1 vs. tracker)

[Francesco Poli]

On Thu, 22 Sep 2011 12:31:35 +0200 Nico Golde wrote:

[...]
 * Francesco Poli invernom...@paranoici.org [2011-09-21 23:45]:
[...]
  If I correctly understand what you mean, CVE-2011-2189 is about the
  issue in the Linux kernel, rather than about the issue on vsftpd side.
  
  If this is the case, that explains adequately.
 
 Exactly.

Thanks for confirming.

 
  However, I've just noticed another little inconsistency (I am therefore
  reopening the bug report): the DSA claims that the issues are fixed in
  squeeze by version 2.3.2-3+squeeze2, but the CVE-2011-0762 tracker page
  [1] says that we should wait for version 2.3.2-3+squeeze3 .
  If this is incorrect, please fix the tracker data.
  Thanks.
 
 Says 2.3.2-3+squeeze2 and did so since I released the DSA.

The DSA tracker page has always had the correct fixed squeeze version,
but I'm pretty sure the CVE tracker page used to have +squeeze3 instead
of +squeeze2 .

Anyway, everything seems to be fine, now.
Bye.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpKIyKAN15em.pgp
Description: PGP signature

Bug#642259: marked as done (security-tracker: DSA-2305-1 vs. tracker)

[Francesco Poli]

reopen 642259 =
thanks


On Wed, 21 Sep 2011 21:27:39 +0200 Nico Golde wrote:

 Hi,
 * Francesco Poli invernom...@paranoici.org [2011-09-21 19:07]:
[...]
  Why did you add only a note, rather than an actual reference to
  CVE-2011-2189 ?
 
 Because technically vsftpd would need its own CVE id (which it will not get 
 though).

If I correctly understand what you mean, CVE-2011-2189 is about the
issue in the Linux kernel, rather than about the issue on vsftpd side.

If this is the case, that explains adequately.
Thanks.


However, I've just noticed another little inconsistency (I am therefore
reopening the bug report): the DSA claims that the issues are fixed in
squeeze by version 2.3.2-3+squeeze2, but the CVE-2011-0762 tracker page
[1] says that we should wait for version 2.3.2-3+squeeze3 .
If this is incorrect, please fix the tracker data.
Thanks.


[1] http://security-tracker.debian.org/tracker/CVE-2011-0762

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpHtEQS1iEdi.pgp
Description: PGP signature

DSA-2304-1 vs. tracker

[Francesco Poli]

Hi list!

CVE-2011-0762 [1] seems to be extraneous to DSA-2304-1 [2], but got
nonetheless somehow associated with that DSA on the tracker [3].

If this was due to a typo, please fix the tracker data.


[1] http://security-tracker.debian.org/tracker/CVE-2011-0762
[2] http://lists.debian.org/debian-security-announce/2011/msg00183.html
[3] http://security-tracker.debian.org/tracker/DSA-2304-1

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpFOZ3DDjD7P.pgp
Description: PGP signature

Re: DSA-2304-1 vs. tracker

[Francesco Poli]

On Sun, 11 Sep 2011 17:58:00 -0400 Michael Gilbert wrote:

 Francesco Poli wrote:
[...]
  If this was due to a typo, please fix the tracker data.
 
 Hi,
 
 This should be correct now.

Yes, it looks right, now.
Thanks a lot for fixing the inconsistency!

 Would you mind trying a new work flow
 when you find your next tracker data issue?  If you wouldn't mind,
 please submit a bug against the security-tracker psuedo package [...];
 that way, we can track and appropriately close the issues you find.

Fine with me: I'll try to remember to do so, next time.
Bye.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpYYsSRbDdS8.pgp
Description: PGP signature

Re: DSA-2301-1 vs. tracker

[Francesco Poli]

On Wed, 7 Sep 2011 01:12:37 +0200 Luciano Bello wrote:

 On Wednesday 07 September 2011, Francesco Poli wrote:
  Please update the tracker data.
 
 My fault. Fixed.

Mmmmh, it seems to me that versions were used in place of package
names...
As a consequence, the tracker didn't apparently understand what we are
talking about!   ;-)

Please fix the tracker data.


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgp7EoaimfnRt.pgp
Description: PGP signature

Re: DSA-2301-1 vs. tracker

[Francesco Poli]

On Wed, 7 Sep 2011 18:48:49 +0200 Francesco Poli wrote:

 On Wed, 7 Sep 2011 01:12:37 +0200 Luciano Bello wrote:
 
  On Wednesday 07 September 2011, Francesco Poli wrote:
   Please update the tracker data.
  
  My fault. Fixed.
 
 Mmmmh, it seems to me that versions were used in place of package
 names...
 As a consequence, the tracker didn't apparently understand what we are
 talking about!   ;-)
 
 Please fix the tracker data.

Thanks to whomever fixed the tracker data!
Everything seems to be consistent now.

Bye.


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpJDwcUPRJEw.pgp
Description: PGP signature

DSA-2301-1 vs. tracker

[Francesco Poli]

Hi all!

It seems to me that there's no tracker page [1] for DSA-2301-1 [2] yet.
Please update the tracker data.

[1] http://security-tracker.debian.org/tracker/DSA-2301-1
[2] http://lists.debian.org/debian-security-announce/2011/msg00177.html

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgp5t9d58VqoN.pgp
Description: PGP signature

Re: DSA-2281-1 vs. tracker

[Francesco Poli]

On Thu, 21 Jul 2011 21:02:20 +0200 Francesco Poli wrote:

[...]
 To tell the truth, there's a little discrepancy left over: the DSA
 claims that CVE-2010-1938 does not affect squeeze, while the tracker
 claims that squeeze (without security updates) is vulnerable...

I've just re-checked, this last discrepancy appears to have been fixed,
as well.

Thanks.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpEd3WnW1W7z.pgp
Description: PGP signature

DSA-2281-1 vs. tracker

[Francesco Poli]

Hi!

It seems to me that the DSA-2281-1 [1] tracker page [2] presents messed
up data. It looks like the version numbers were used in place of the
package name...

Please fix the tracker data.

[1] http://lists.debian.org/debian-security-announce/2011/msg00155.html
[2] http://security-tracker.debian.org/tracker/DSA-2281-1

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgp1Ug7Vzccft.pgp
Description: PGP signature

Re: #612033 vs. tracker

[Francesco Poli]

On Wed, 13 Jul 2011 21:10:37 +0200 Francesco Poli wrote:

[...]
 Who's wrong and who's right?
 Should the tracker data be updated in order to reflect the BTS?
 Or should the bug be reopened as unfixed?

The tracker data have been apparently updated.
Thanks.


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpxiMxXJwzfH.pgp
Description: PGP signature

Re: DSA-2273-1 vs. tracker

[Francesco Poli]

On Wed, 13 Jul 2011 20:59:25 +0200 Francesco Poli wrote:

 On Sat, 9 Jul 2011 19:15:04 +0200 Francesco Poli wrote:
 
 [...]
  ...there's still something that does not look right to me.
 [...]
  What's wrong?
  Is the DSA [...] incorrect about sid, or is the tracker data incomplete?
  
  Please clarify.
 
 The tracker is still inconsistent with the DSA.
 Could someone please clarify and/or fix the tracker data?

OK, just checked this one, as well.
Everything seems to be fine, now.

Thanks.


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgprpxrVillqM.pgp
Description: PGP signature

Re: DSA-2273-1 vs. tracker

[Francesco Poli]

On Thu, 7 Jul 2011 19:00:07 +0200 Francesco Poli wrote:

[...]
 The tracker seems to be still unaware [1] of DSA-2273-1 [2].
 Please update the tracker data!

Thanks for updating the tracker data, but...
...there's still something that does not look right to me.

The DSA [2] claims that all the referenced CVE ids are fixed in sid by
icedove/3.1.11-1 .
However, the tracker (see links from [1]) considers
CVE-2011-0083, CVE-2011-0085, CVE-2011-2362, and CVE-2011-2363
as still unfixed in icedove/3.1.11-1 ...

 
 [1] http://security-tracker.debian.org/tracker/DSA-2273-1
 [2] http://lists.debian.org/debian-security-announce/2011/msg00145.html

What's wrong?
Is the DSA [2] incorrect about sid, or is the tracker data incomplete?

Please clarify.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpldyvdUNp7V.pgp
Description: PGP signature

DSA-2274-1 vs. tracker

[Francesco Poli]

Hello, it's me, again!

DSA-2274-1 [1] claims that all the referenced CVE ids are fixed in sid
by wireshark/1.2.17-1 .
However, the tracker disagrees on CVE-2011-1957 [2] and CVE-2011-1958
[3], claiming that those vulnerabilities are still unfixed in sid.

Where's the truth?
Please clarify and/or fix the tracker data.

[1] http://lists.debian.org/debian-security-announce/2011/msg00146.html
[2] http://security-tracker.debian.org/tracker/CVE-2011-1957
[3] http://security-tracker.debian.org/tracker/CVE-2011-1958


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgppWna1089ok.pgp
Description: PGP signature

DSA-2273-1 vs. tracker

[Francesco Poli]

Hi list!

The tracker seems to be still unaware [1] of DSA-2273-1 [2].
Please update the tracker data!

[1] http://security-tracker.debian.org/tracker/DSA-2273-1
[2] http://lists.debian.org/debian-security-announce/2011/msg00145.html

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpunBjSg9C6S.pgp
Description: PGP signature

DSA-2268-1 vs. tracker

[Francesco Poli]

Hello everybody,
there's something I cannot quite understand about DSA-2268-1 [1].
It says that several CVE ids are fixed in iceweasel/3.5.16-9 for stable.
However I cannot find any trace of that version on the PTS [2], or on
security.d.o [3].

What's wrong?
Where did the upload go?
Is the upload for stable-security still in preparation?


Another issue, though a minor one, is that the DSA [1] lists
CVE-2011-2365 as one of the addressed vulnerabilities, but fails to
include a description for that CVE id.
The tracker page [4] refers to that CVE id as well, and indeed it seems
that this CVE id is about iceweasel.
If this CVE id is really fixed by DSA-2268-1, then I think that the
tracker is consistent with the DSA.
Otherwise, please fix the tracker data.


[1] http://lists.debian.org/debian-security-announce/2011/msg00139.html
[2] http://packages.qa.debian.org/i/iceweasel.html
[3] http://security.debian.org/debian-security/pool/updates/main/i/iceweasel/
[4] http://security-tracker.debian.org/tracker/DSA-2268-1

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpCa6s04KwFb.pgp
Description: PGP signature

Re: DSA-2264-1 vs. tracker

[Francesco Poli]

On Sun, 19 Jun 2011 11:27:35 +0200 Francesco Poli wrote:

 Hi all!
 The tracker page [...] for DSA-2264-1 [...] seems to lack the links for the
 following CVE ids:
[...]

Thanks to anyone who fixed the tracker data!
Everything seems to be consistent now.

Bye.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpWUb3Acar1R.pgp
Description: PGP signature

DSA-2264-1 vs. tracker

[Francesco Poli]

Hi all!
The tracker page [1] for DSA-2264-1 [2] seems to lack the links for the
following CVE ids:

CVE-2010-2524
CVE-2010-4075
CVE-2010-4655
CVE-2011-0710
CVE-2011-1010
CVE-2011-1012
CVE-2011-1017
CVE-2011-1078
CVE-2011-1093
CVE-2011-1577
CVE-2011-1768
CVE-2011-2182 

Please add these missing links.

[1] http://security-tracker.debian.org/tracker/DSA-2264-1
[2] http://lists.debian.org/debian-security-announce/2011/msg00134.html


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpS0GCXRvMpR.pgp
Description: PGP signature

Re: DSA-2258-1 vs. tracker

[Francesco Poli]

On Sat, 11 Jun 2011 20:42:52 +0200 Nico Golde wrote:

 Hi,
 * Francesco Poli invernom...@paranoici.org [2011-06-11 19:10]:
  DSA-2258-1 [1] is about CVE-2011-1926, but the DSA tracker page [2]
  refers to CVE-2011-2194.
 [...] 
 Thanks

You're welcome!   :-)
Thanks to you for fixing the data!

 fixed, cp error. CVE-2011-2194 was the previous DSA.

Yep, I had noticed...  ;-)
Everything seems to be OK now.

Bye.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpUnE5JsaSPg.pgp
Description: PGP signature

DSA-2254-1 vs. tracker

[Francesco Poli]

Hello,
while looking at DSA-2254-1 [1], I noticed that the CVE-2011-1760
tracker page [2] does not list oprofile versions for wheezy or sid.
Maybe it's because the fixed version info for (unstable) is referred
to the non-existent source package opcontrol?

[1] http://lists.debian.org/debian-security-announce/2011/msg00124.html
[2] http://security-tracker.debian.org/tracker/CVE-2011-1760

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpMYr0BzV21v.pgp
Description: PGP signature