[Secure-testing-team] [Secure-testing-commits] r12553 - data/CVE
Michael S. Gilbert
michael.s.gilbert at gmail.com
Tue Aug 11 17:14:00 UTC 2009
On Tue, 11 Aug 2009 19:07:06 +0200, Moritz Muehlenhoff wrote:
> On Mon, Aug 10, 2009 at 09:35:17PM +0200, Nico Golde wrote:
> > Hi,
> > * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10 21:14]:
> > > On Mon, 10 Aug 2009 18:58:17 +0000, Nico Golde wrote:
> > [...]
> > > > CVE-2009-2414 [libxml2 stack recursion]
> > > > RESERVED
> > > > - libxml2 <unfixed> (medium; bug #540865)
> > > > - [etch] - libxml <unfixed>
> > > > + [lenny] - libxml <removed>
> > >
> > > i still don't think this is what you're trying to get at. you want to
> > > mark it is removed from unstable, which will automatically also mark
> > > it removed from lenny.
> >
> > No, why should it remove it as removed from lenny as well in
> > this case?
> >
> > > then you want to do something special for etch, and i think your intent
> > > is a no-dsa?
> >
> > Not sure yet.
> >
> > > or if you don't want to do that, you can not add an etch
> > > entry, and it will be tracked as affected.
> >
> > So my current intention is to mark lenny as not containing
> > libxml and since thsi will be tracked upwards unless marked
> > as unfixed in unstable this should mark unstable as not
> > containing libxml as well but etch as unfixed.
>
> Just use:
> libxml2 <unfixed> (medium; bug #540865)
> libxml <removed>
i helped Nico to do exactly this yesterday.
> The tracker knows which source package is present in which
> suite. If a package is marked as <removed> in unstable it is
> automatically marked as unfixed for all the suite it still
> remains in.
>
> (It would be nice if anyone could add this to the introductory
> explanation document.)
if i find the time, i will.
mike
More information about the Secure-testing-team
mailing list