In GLSA 201612-07 (more correctly, I saw https://security.gentoo.org/glsa/201612-07), CVE-2015-7805 is referred to. But the correct entry is CVE-2015-0860.[1] [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0860 Wrong GLSA is bad, so it has to be fixed. But... I think there's more. From time to time you see very old issues appear in GLSA. The mentioned CVE was last revised on 2015-**12-04**, and the GLSA appeared on 2016-**12-04**, i.e. exactly a year later. Recommended ebuild, 1.17.26, was last changed (by being stabilized on ia64) on 2016-01-11, so it's long overdue. (I don't know glsa internals, but is it done by a bot? See Bug 567258, comment #12: https://bugs.gentoo.org/show_bug.cgi?id=567258#c12 ) Thanks Gentoo devs. Regards. Reproducible: Always
(In reply to teika from comment #0) > In GLSA 201612-07 (more correctly, I saw > https://security.gentoo.org/glsa/201612-07), CVE-2015-7805 is referred to. > But the correct entry is CVE-2015-0860.[1] > > [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0860 > > Wrong GLSA is bad, so it has to be fixed. > > But... I think there's more. From time to time you see very old issues > appear in GLSA. The mentioned CVE was last revised on 2015-**12-04**, and > the GLSA appeared on 2016-**12-04**, i.e. exactly a year later. Recommended > ebuild, 1.17.26, was last changed (by being stabilized on ia64) on > 2016-01-11, so it's long overdue. > > (I don't know glsa internals, but is it done by a bot? See Bug 567258, > comment #12: https://bugs.gentoo.org/show_bug.cgi?id=567258#c12 ) > > Thanks Gentoo devs. Regards. > > Reproducible: Always Due to the amount of security bugs and lack of team members we often fall behind on GLSA release. The same can be said for the stabilization of vulnerable packages. The GLSA CVE reference has been fixed and pushed. Thank you for the report.
