On Tue, 08 Dec 2009 09:26:54 +0100, Torsten Werner wrote: > Michael Gilbert schrieb: > > it is much more straightforward to simply check that the > > existing fix is applied. since you should have a relationship with > > upstream, it should be relatively straightforward to get a response > > from them. > > Upstream states that the package is fixed in version 6.1.7 at > http://jira.codehaus.org/browse/JETTY-386#action_117699> and this page > is linked from > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672>. The > oldest version from the jetty6 code base we ever had in Debian is 6.1.18.
you've mentioned this before, and i had seen that before submitting the bug. if changelog entries were considered sufficient, i would have had no reason to submit the bug in the first place. > > also, this package is your responsibility, so you can't > > expect others to do your job for you. > > You have reported a bug that is more than 2.5 years old. How much > history should the maintainer check in your opinion before he ever > uploads to Debian? 2 years, 5 years, 10 years, 20 years...? for security-related issues, yes, the entire lifetime of the program. > > if you think this request is overburdensome/unjustified, you can send an > > email to secur...@debian.org. be aware that they expect this level of > > thoroughness at a minimum. > > I do accept bug reports with false positives from the security team when > time constraints do not allow proper checking because getting the > information fast is more important in such cases than verifying the > information. But that is a different story. You are reporting a bug that > has been fixed some years ago and you could have verified it yourself. like i said, i did do the verification that you mentioned), but again this is not sufficient. triaging this issue has been a todo for the security team for the past 2.5 years, and i am trying to close it off. please help me out. thank you. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
