Quoting Matt Zimmerman ([EMAIL PROTECTED]): > > I'm about to close 95153, 133049, 158040, 165555, 170580, 173331, 176223, > > 135603, 161659, 165107, 165135, 165351, 171190, 172529, 173663, 174506, > > 174508, 174509, 192401, 193544, 101725, 122689, 159575, 165126, 182280, > > and 189780 with a nice message telling that the bug was reported on a > Did you check whether any of these bugs are fixed? I reported at least one > of them, and it is definitely not fixed. You should not close bugs simply > because they are old.
Yes. IMHO all these bugs are fixed in the new packages I provided for stable users on p.d.o/~ssmeenk/ > > Before you object to this rather 'rude' bughandling, please keep in mind > > that version 1.8.4 of snort, which is in stable, has 3 severe security > > exploits, and is completely outdated in catching crooks (rulefiles) and > > detection mechanisms. Not to speak of package stability ;) > I think it is quite "rude" to knowingly distribute a package with severe > security problems without fixing the bugs or even informing other > developers. FFS don't act like i'm the bad guy here. I reported the advisories the minute i heard of them, and that was maybe a couple of hours after they have been released to the public. A nice mail went to the security team, and they told me what to do: fix the package in unstable, and try if i was capable of fixing the stable version without using new upstream source. I then told security team I was not capable of doing such a thing. Time passed and I got a request to create stable packages of new upstream source and provide them on p.d.o. So i did. But for as far as I know, those packages went in the advisory, and the stable archive & stable security updates-apt-source where never updated with a fixed version of the package. > What are these bugs exactly? If i recall correctly, it was two memory allocation faults in the RPC code, and one in the fragmented packet reassambly code. > How long have you been aware of them? As long as the security team was. > Or are you perhaps not aware of DSA-297? I knew it was released, but I probably looked over the fact that indeed the stable version of the snort-package /has/ been fixed. That was stupid of me. Sander. -- | Amnesia used to be my favorite word, but then I forgot it. | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D