On Mon, 20 Apr 2009 12:52:28 +0200, Thijs Kinkhorst wrote: > On Mon, April 20, 2009 06:15, Michael S. Gilbert wrote: > > i was looking at the link as provided in redhat's announcement. this > > seems to be CVE-2009-1285, which debian is already tracking as > > unimportant. however, the phpmyadmin page considers the issue to be > > critical. perhaps the debian severity is too low? > > This is because Debian by default protects the setup.php page with a > htaccess-style login and the config file is not writable, thus making the > vulnerability hard to exploit. I commented this reasoning in my commit > message to the tracker.
wouldn't it be better to do this with a 'NOTE' since that is permanently associated with the CVE number? i would have certainly noticed the justification if that was the case. > As you can also find in the security tracker: > http://security-tracker.debian.net/tracker/CVE-2009-1285 > all affected suites (squeeze/sid) are already updated with the new > version. Therefore we can close this bug. > > I appreciate your effort in filing security bugs, but it helps to cross > reference them to the security tracker before so we prevent unnecessary > filings. i had mistakenly missed the CVE number when i first reviewed the issue. i appologize for the mistake. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
