On Wed, Mar 21, 2007 at 12:22:48AM -0400, Joey Hess wrote: > Roberto C. Sánchez wrote: > > According to your page, there are two vulnerabilities for mutt in Sarge: > > > > http://security-tracker.debian.net/tracker/CVE-2006-5297 > > http://security-tracker.debian.net/tracker/CVE-2006-5298 > > > > Now, I reported #311296 about two years ago, and shortly after you > > emailed the bug saying that it had been assigned CAN-2005-2351. So my > > questions are: > > > > 1. Given the nature of #311296 (unsafe temp file creation by using a > > predictable scheme), is it not related to #396104 (which covers both > > of the above CVEs)? > > Yes, it would make it easier to exploit those security holes. > > > 2. If the two are related, should they not both have been solved > > together? > > Perhaps; it seems that mutt's maintainer just took upstream's fix. > > > 3. Why does the security-tracker not track CAN IDs? Are those > > automatically considered lower severity than low severity CVEs? > > All CAN's were renamed to CVE's last year. > Thanks for the clarification.
Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
