On Tue, Mar 20, 2007 at 04:24:59PM -0400, Joey Hess wrote: > > It doesn't work much like the security support for stable, because > testing is not managed like stable is. Feel free to look at the lists of > known unfixed vulnerabilities in stable and testing, and draw your own > conclusions about which is more secure: > http://security-tracker.debian.net/tracker/status/release/stable > http://security-tracker.debian.net/tracker/status/release/testing > That was certainlt enlightening :-)
OK. So, I have a question about mutt. According to your page, there are two vulnerabilities for mutt in Sarge: http://security-tracker.debian.net/tracker/CVE-2006-5297 http://security-tracker.debian.net/tracker/CVE-2006-5298 Now, I reported #311296 about two years ago, and shortly after you emailed the bug saying that it had been assigned CAN-2005-2351. So my questions are: 1. Given the nature of #311296 (unsafe temp file creation by using a predictable scheme), is it not related to #396104 (which covers both of the above CVEs)? 2. If the two are related, should they not both have been solved together? 3. Why does the security-tracker not track CAN IDs? Are those automatically considered lower severity than low severity CVEs? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
