[Secure-testing-team] Updates for testing-security track page
Moritz Muehlenhoff
jmm at inutil.org
Thu Jun 8 20:34:00 UTC 2006
Djoume SALVETTI wrote:
> Le lun 05 jun 2006 13:53:39 GMT Djoume SALVETTI <Djoume.Salvetti at crans.org> a écrit :
> > > It's usually better to add "- mozilla-thunderbird <removed>"
> > > annotations. Otherwise, you might need to edit the CVE/list file for
> > > the DSA.
> >
> > Ok, so I'll add a :
> >
> > - mozilla-firefox <removed>
> >
> > to each firefox CVE if nobody object (and the same for thunderbird).
>
> After more reflexion, I'm not sure it's a good idea to add all this
> <removed> entries when the issue is disclosed after the package have
> been removed.
Yes, for packages like mysql-dfsg-4.1 it's not quite needed.
> Also, I don't understand why I would have to edit the CVE/list file for
> the DSA if I only add
>
> [sarge] - mozilla-firefox 1.2.3
>
> or
>
> [sarge] - mozilla-firefox <unfixed> (bug #123456)
>
> or
>
> [sarge] - mozilla-firefox <not-affected> (Only 1.5 is vulnerable)
You only need the third. The second is implicit, and information about fixes
in Sarge are coming through DSA/list. (With some exceptions like minor security
fixes coming through stable-proposed-updates)
Cheers,
Moritz
More information about the Secure-testing-team
mailing list