Il lun, 2003-08-11 alle 02:58, Matt Zimmerman ha scritto: > > I haven't found 2.2.2-6woody2 in the changelog, however 2.2.2-6 has been > > released in december 2001 > > 2.2.2-6woody2 is a later version than 2.2.2-6. 2.2.2-6 has the bugs, > 2.2.2-6woody2 has the fixes.
2.2.2-6 has been released on dec 13 2001, 2.2.2-7 on dec 14 2001 (following the changelog), so 2.2.2-6woody2 should be dated between these 2 days, am i right? > > , so i've to assume fake vulnerabilities (CAN 2003-... ), or at least they > > don't apply to deb packages... but then 2.2.2-13.woody.8 what is for? > > I do not understand the problem. DSA-361-1 states that the vulnerabilities reported have been fixed in 2.2.2-13.woody.8 (and this is the version you can find in the repository)... DSA-361-2 is the same advisory, except that it states that the vulnerabilities have been fixed in 2.2.2-6woody2... and i think that's someway strange that 2 vulnerabilities from this year have been addressed almost 2 years ago (well, not impossible with debian :) )... but then, what's the purpose of 2.2.2-13.woody.8? Really, i suspect a typo in the advisory. Or more likely, i haven't understood too much about the whole thing. Hope i've been clear enough (and forgive me for my little confidence with english). Ciao, Gian Piero.
