Bug#903816: security-tracker: CVE-2017-17689 vs. tracker

Discussion:

Francesco Poli (wintermute)

2018-07-15 08:45:38 UTC

Package: security-tracker
Severity: normal

Hello everyone!

According to [DSA-4244-1] thunderbird/1:52.9.1-1~deb9u1 fixes
CVE-2017-17689 in stretch (security), among other vulnerabilities.

However the tracker page for [CVE-2017-17689] seems to disagree,
while, on the other hand, referencing bug [#898631], which is claimed
to be fixed in oldstable, stable, testing, and unstable.

But please note that bug [#898631] does not mention CVE-2017-17689
at all!

Oh what a headache!
Which is wrong and which is right?

Could you please clarify and update the tracker data, if needed?

Thanks for your time!

[DSA-4244-1]: <https://lists.debian.org/debian-security-announce/2018/msg00173.html>
[CVE-2017-17689]: <https://security-tracker.debian.org/tracker/CVE-2017-17689>
[#898631]: <https://bugs.debian.org/898631>

Debian Bug Tracking System

2018-07-15 11:42:04 UTC

Permalink

Your message dated Sun, 15 Jul 2018 13:38:52 +0200
with message-id <***@eldamar.local>
and subject line Re: Bug#903816: security-tracker: CVE-2017-17689 vs. tracker
has caused the Debian Bug report #903816,
regarding security-tracker: CVE-2017-17689 vs. tracker
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)

--
903816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903816
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems

Francesco Poli

2018-07-15 13:03:43 UTC

Permalink

On Sun, 15 Jul 2018 13:38:52 +0200 Salvatore Bonaccorso wrote:

[...]

In short, the tracker is ocrrect. The initial DSA mail did contain the
mention of the CVE-2017-17689, but it was wrongly listed. This is why
it was reverted in
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b041892b1d953fabb4ef8636c02b427a2771663
and the website is as well correct (the mail obvioulsy cannot be fixed
retrospecitively).

Ah OK, thanks for clarifying.

But then, maybe, the tracker page for [CVE-2017-17689] should stop
referencing bug [#898631]...

[CVE-2017-17689]: <https://security-tracker.debian.org/tracker/CVE-2017-17689>
[#898631]: <https://bugs.debian.org/898631>

--
http://www.inventati.org/frx/
There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE