[Secure-testing-commits] r11870 - data/CVE
sean finney
seanius at debian.org
Fri May 15 07:01:13 UTC 2009
hi everyone,
On Thu, May 14, 2009 at 01:58:05PM -0400, Michael S. Gilbert wrote:
> i apologize for the confusion. i interpreted [1],[2] as commits to the
> unstable version that happened after upload of 5.2.9.dfsg.1-2 to
> unstable, but now realize that they were actually commits to your
> etch/lenny branches. i also did not see mention of this CVE in your
> changelog or anywhere in the source:
>
> $ grep -R 2009-0754 *
it might clear up the confusion a bit to point out that 5.2.9.dfsg.1-1, which
fixed this problem for testing/unstable, was uploaded on or around 24/03/2009,
whereas the bug was reported afterwards on 07/04/2009. so there was no
action on the part of the maintainers to "fix" this bug, we got it for free.
> if an upstream version fixes a CVE, that fact is supposed to be in the
> debian changelog, correct?
yes, assuming we know about it when we're preparing the new release.
in this case i think that the bug should have been reported against
php5/lenny (with a "found" added for the etch version), but it's pretty
understandable that the relevant data was missed/overlooked, or not present
at all as is often the case with php related security issues. i hope this
gives a bit of justification towards the individual bug reports approach
i was advocating earlier, as it helps decrease the chances of stuff like
this :)
i suppose i could also see an argument for making updates to the older
changelog entries for posterity. personally though, i'm a fan of the
append-only model for all but the gravest factual/spelling/encoding
errors and omissions.
> > Thanks. And for the record, I always try to keep the php5 info up to date,
> > since I'm on both teams.
>
> do you want me to steer clear of anything related to php then? i
> didn't realize that certain aspects of the archive were claimed by
> specific individuals.
i can't speak for raphael but i appreciate any and all help. i just hope
that if anything i say ever comes off as a bit... surly... that you
take it with a grain of salt. dealing with upstream security issues in
php is probably the shittiest task i have in debian :(
sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20090515/08b4c347/attachment.pgp>
More information about the Secure-testing-commits
mailing list