Roberto C. Sánchez wrote: > According to your page, there are two vulnerabilities for mutt in Sarge: > > http://security-tracker.debian.net/tracker/CVE-2006-5297 > http://security-tracker.debian.net/tracker/CVE-2006-5298 > > Now, I reported #311296 about two years ago, and shortly after you > emailed the bug saying that it had been assigned CAN-2005-2351. So my > questions are: > > 1. Given the nature of #311296 (unsafe temp file creation by using a > predictable scheme), is it not related to #396104 (which covers both > of the above CVEs)?
Yes, it would make it easier to exploit those security holes. > 2. If the two are related, should they not both have been solved > together? Perhaps; it seems that mutt's maintainer just took upstream's fix. > 3. Why does the security-tracker not track CAN IDs? Are those > automatically considered lower severity than low severity CVEs? All CAN's were renamed to CVE's last year. -- see shy jo
signature.asc
Description: Digital signature
