Bug#463184: marked as done (security.debian.org: wasn't CVE-2007-2645 fixed in DSA-1310-1?)

Wed, 06 Feb 2008 03:32:08 -0800 

Your message dated Wed, 6 Feb 2008 12:17:55 +0100
with message-id <[EMAIL PROTECTED]>
and subject line security.debian.org: wasn't CVE-2007-2645 fixed in DSA-1310-1?
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: security.debian.org
Severity: grave

according to the bug report log [1], the 0.6.13-etch1 upload of
libexif12 fixed the security vulnerability described by CVE-2007-2645.
however, the associated DSA [2] says that the updload of 0.6.13-etch1 
fixed the vulnerability described by CVE-2006-4168.

it seems very likely someone mistakenly reversed the CVE numbers.  so it
is probably the case that CVE-2007-2645 was fixed long ago in etch,
and CVE-2006-4168 still remains unadressed.

[1] http://bugs.debian.org/424775
[2] http://www.debian.org/security/2007/dsa-1310

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

--- End Message ---
--- Begin Message --- 

Michael Gilbert wrote:
> Package: security.debian.org
> Severity: grave
> 
> according to the bug report log [1], the 0.6.13-etch1 upload of
> libexif12 fixed the security vulnerability described by CVE-2007-2645.
> however, the associated DSA [2] says that the updload of 0.6.13-etch1 
> fixed the vulnerability described by CVE-2006-4168.
> 
> it seems very likely someone mistakenly reversed the CVE numbers.  so it
> is probably the case that CVE-2007-2645 was fixed long ago in etch,
> and CVE-2006-4168 still remains unadressed.
> 
> [1] http://bugs.debian.org/424775
> [2] http://www.debian.org/security/2007/dsa-1310

Thanks for bringing this to our attention.

I've verified it in the source code:
The correct patch was used to address CVE-2006-4168, only the wrong
bug number was added to the DSA. Instead of #424775 this should've
read #430012.

Cheers,
        Moritz

--- End Message ---

Reply via email to