[Secure-testing-commits] r11870 - data/CVE
Michael S. Gilbert
michael.s.gilbert at gmail.com
Thu May 14 21:38:41 UTC 2009
On Thu, 14 May 2009 16:17:11 -0500, Raphael Geissert wrote:
> Michael S. Gilbert wrote:
> > On Tue, 12 May 2009 20:56:20 -0500, Raphael Geissert wrote:
> >
> > i apologize for the confusion. i interpreted [1],[2] as commits to the
> > unstable version that happened after upload of 5.2.9.dfsg.1-2 to
> > unstable, but now realize that they were actually commits to your
> > etch/lenny branches. i also did not see mention of this CVE in your
> > changelog or anywhere in the source:
> >
> > $ grep -R 2009-0754 *
>
> I noticed the bug closer was not added to the changelog so I manually closed
> the report (and now that I think about it, I forgot to add it to the
> changelog for the -3 upload, will have to do it in the next round.)
>
> >
> > although now i have done a little more work and found that the patch
> > is indeed present in 5.2.9.dfsg.1-2.
> >
> > if an upstream version fixes a CVE, that fact is supposed to be in the
> > debian changelog, correct?
>
> Yes, but you shouldn't trust maintainers, you should always check. Sadly,
> there have been cases where the patch was not really applied, shipped, or
> whatever.
in an ideal world, we should be able to fully trust the maintainer; and
also expect them to take full responsibility to address security
issues in their packages. alas, the real world rather not like this...
> >> Thanks. And for the record, I always try to keep the php5 info up to
> >> date, since I'm on both teams.
> >
> > do you want me to steer clear of anything related to php then?
>
> No, I didn't mean to say that. Asking you to do that would be adverse, and a
> risk.
ok, glad we've cleared this up. i'm trying to do a good job, and i'm
getting better. there is a lot to learn, and there is a lot of
potential for mistakes.
mike
More information about the Secure-testing-commits
mailing list