Hi, On Wed, May 13, 2015 at 07:43:47PM +0800, Paul Wise wrote: > On Wed, May 13, 2015 at 5:26 PM, Dominic Hargreaves wrote: > > > As far as I can tell from > > > > https://security-tracker.debian.org/tracker/CVE-2013-4422 > > > > wheezy wasn't affected by the original CVE since the version of QT > > there is < 4.8.5. Is that correct? If so, what's the right way to mark this > > fact in the security-tracker data? > > Add something like the third line here to data/CVE/list: > > CVE-2013-4422 (SQL injection vulnerability in Quassel IRC before > 0.9.1, when Qt 4.8.5 ...) > - quassel 0.9.1-1 > [wheezy] - quassel <not-affected> (Vulnerable code not present)
<not-affected> (Vulnerable code not present) would not be correct, since the issue appears if one would use qt4 with backported fix https://bugreports.qt-project.org/browse/QTBUG-30076 . But it can be marked as "unimportant" saying that for (now) binary packages are "unaffected" since in Debian QTBUG-30076 is not backported to wheezy. Or just leave it that way, the notes makes clear when the issue applies to the binary packages as well. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150513165007.GA27892@eldamar.local
