Bug#617655: unixodbc: buffer overflow in SQLDriverConnect function
On 2012-07-08 23:28, Steve Langasek wrote: On Sun, Jul 08, 2012 at 07:15:10PM -, Jonathan Wiltshire wrote: Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.6) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. Since when do we expect maintainers to spend their time preparing stable release updates for security bugs that are not important enough to have DSAs issued? I find this absurd. If it's worth fixing, it should be fixed through the security process. This particular bug is a buffer overflow in handling of user-provided input to a non-privileged library. Don't expect me to prepare a stable upload for this if it's not important enough to get a DSA. Thanks for the information; tracker updated (and copying t...@security.debian.org for your feedback). -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#617655: unixodbc: buffer overflow in SQLDriverConnect function
Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.6) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/617655/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#617655: unixodbc: buffer overflow in SQLDriverConnect function
On Sun, Jul 08, 2012 at 07:15:10PM -, Jonathan Wiltshire wrote: Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.6) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. Since when do we expect maintainers to spend their time preparing stable release updates for security bugs that are not important enough to have DSAs issued? I find this absurd. If it's worth fixing, it should be fixed through the security process. This particular bug is a buffer overflow in handling of user-provided input to a non-privileged library. Don't expect me to prepare a stable upload for this if it's not important enough to get a DSA. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Bug#617655: unixodbc: buffer overflow in SQLDriverConnect function
Package: unixodbc Version: 2.2.14p2-2 Severity: normal Tags: upstream patch security Hi, A buffer overflow in unixODBC has been reported in http://seclists.org/oss- sec/2011/q1/446 . The fix can be found here http://unixodbc.svn.sourceforge.net/viewvc/unixodbc/trunk/DriverManager/SQLDriverConnect.c?r1=23r2=27 thanks! luciano -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
