[Secure-testing-commits] r11870 - data/CVE
Raphael Geissert
atomo64+debian at gmail.com
Thu May 14 21:17:11 UTC 2009
Michael S. Gilbert wrote:
> On Tue, 12 May 2009 20:56:20 -0500, Raphael Geissert wrote:
>
> i apologize for the confusion. i interpreted [1],[2] as commits to the
> unstable version that happened after upload of 5.2.9.dfsg.1-2 to
> unstable, but now realize that they were actually commits to your
> etch/lenny branches. i also did not see mention of this CVE in your
> changelog or anywhere in the source:
>
> $ grep -R 2009-0754 *
I noticed the bug closer was not added to the changelog so I manually closed
the report (and now that I think about it, I forgot to add it to the
changelog for the -3 upload, will have to do it in the next round.)
>
> although now i have done a little more work and found that the patch
> is indeed present in 5.2.9.dfsg.1-2.
>
> if an upstream version fixes a CVE, that fact is supposed to be in the
> debian changelog, correct?
Yes, but you shouldn't trust maintainers, you should always check. Sadly,
there have been cases where the patch was not really applied, shipped, or
whatever.
>
>> Thanks. And for the record, I always try to keep the php5 info up to
>> date, since I'm on both teams.
>
> do you want me to steer clear of anything related to php then?
No, I didn't mean to say that. Asking you to do that would be adverse, and a
risk.
> i
> didn't realize that certain aspects of the archive were claimed by
> specific individuals.
>
Regards,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
More information about the Secure-testing-commits
mailing list