[Secure-testing-commits] r11870 - data/CVE
Michael S. Gilbert
michael.s.gilbert at gmail.com
Thu May 14 17:58:05 UTC 2009
On Tue, 12 May 2009 20:56:20 -0500, Raphael Geissert wrote:
> (I'm in a bad mood, sorry if this mail sounds too harsh)
>
> Michael S. Gilbert wrote:
>
> > On Mon, 11 May 2009 01:17:17 +0000 Michael Gilbert wrote:
> >
> >> Author: gilbert-guest
> >> Date: 2009-05-11 01:17:17 +0000 (Mon, 11 May 2009)
> >> New Revision: 11870
> >>
> >> Modified:
> >> data/CVE/list
> >> Log:
> >> CVE-2009-0754 has not yet been uploaded to stable (fix is currently in
> >> php5 git repo and pending upload)
> >
> > watch out for the type: i meant to say "unstable," not "stable" in this
> > commit message.
>
> WTF?
> This was fixed in 5.2.9 by *upstream*, and 5.2.9-2 is in unstable.
> Do you mind checking what the git commit notifications are talking about
> before making such a change?
i apologize for the confusion. i interpreted [1],[2] as commits to the
unstable version that happened after upload of 5.2.9.dfsg.1-2 to
unstable, but now realize that they were actually commits to your
etch/lenny branches. i also did not see mention of this CVE in your
changelog or anywhere in the source:
$ grep -R 2009-0754 *
although now i have done a little more work and found that the patch
is indeed present in 5.2.9.dfsg.1-2.
if an upstream version fixes a CVE, that fact is supposed to be in the
debian changelog, correct?
> Thanks. And for the record, I always try to keep the php5 info up to date,
> since I'm on both teams.
do you want me to steer clear of anything related to php then? i
didn't realize that certain aspects of the archive were claimed by
specific individuals.
kind regards,
mike
[1]
http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=2d73f5fcd24b0a2692beed4784ffc5e530bbe4ea
[2]
http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=9917a8cb96dfa99d5af30cf4b1670edc81c669bd
More information about the Secure-testing-commits
mailing list