On Tuesday 19 February 2008 20:12:29 Nico Golde wrote:
It
probably also needs rewording since SuSE confirmed it affected them and I
think we agree it affects Debian. How do we go about doing that - is
that something for you guys or do I need to get involved?
I see your point, I will
Hi Tim,
* Tim Brown [EMAIL PROTECTED] [2008-03-01 15:28]:
On Tuesday 19 February 2008 20:12:29 Nico Golde wrote:
It
probably also needs rewording since SuSE confirmed it affected them and I
think we agree it affects Debian. How do we go about doing that - is
that something for you
On Saturday 01 March 2008 14:44:01 Nico Golde wrote:
Hi Tim,
* Tim Brown [EMAIL PROTECTED] [2008-03-01 15:28]:
On Tuesday 19 February 2008 20:12:29 Nico Golde wrote:
It
probably also needs rewording since SuSE confirmed it affected them
and I think we agree it affects Debian. How
Hi Tim,
* Tim Brown [EMAIL PROTECTED] [2008-03-01 16:19]:
On Saturday 01 March 2008 14:44:01 Nico Golde wrote:
[...]
Huh? which allows local and remote attackers to execute
arbitrary commands
[...]
I saw that, but assumed it would reference Debian in some manner. After all
Debian
retitle 466146 festival: CVE-2007-4074 default configuration allows
unauthenticated remote code execution
thanks
Hi Tim,
* Tim Brown [EMAIL PROTECTED] [2008-02-17 04:18]:
Package: festival
Version: 1.96~beta-5
Severity: critical
Tags: security
Justification: root security hole
Nth
On Tue, Feb 19, 2008 at 12:16:14PM +0100, Nico Golde wrote:
Hi Tim,
this is somehow strange, this CVE id was already fixed in
1.4.3-21 referring to the security tracker (see bug #435445
for reference).
Did this fix got lost somewhere in the package history?
Dear Nico,
It appears that
Hi Tim,
this is somehow strange, this CVE id was already fixed in
1.4.3-21 referring to the security tracker (see bug #435445
for reference).
Did this fix got lost somewhere in the package history?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For
On Tue, 19 Feb 2008, Kumar Appaiah wrote:
On Tue, Feb 19, 2008 at 12:16:14PM +0100, Nico Golde wrote:
Hi Tim,
this is somehow strange, this CVE id was already fixed in
1.4.3-21 referring to the security tracker (see bug #435445
for reference).
Did this fix got lost somewhere in the package
Nico,
I've just notice that the security tracker
http://security-tracker.debian.net/tracker/status/release/unstable has been
updated for festival. However it is wrong. This bug *is* remotely
exploitable (due to the afore mentioned lack of ACLs).
Tim
--
Tim Brown
mailto:[EMAIL PROTECTED]
Hi Tim,
* Tim Brown [EMAIL PROTECTED] [2008-02-19 20:08]:
I've just notice that the security tracker
http://security-tracker.debian.net/tracker/status/release/unstable has been
updated for festival. However it is wrong. This bug *is* remotely
exploitable (due to the afore mentioned lack
On Tuesday 19 February 2008 19:20:23 Nico Golde wrote:
* Tim Brown [EMAIL PROTECTED] [2008-02-19 20:08]:
I've just notice that the security tracker
http://security-tracker.debian.net/tracker/status/release/unstable has
been updated for festival. However it is wrong. This bug *is*
Hi Tim,
* Tim Brown [EMAIL PROTECTED] [2008-02-19 20:57]:
On Tuesday 19 February 2008 19:20:23 Nico Golde wrote:
* Tim Brown [EMAIL PROTECTED] [2008-02-19 20:08]:
I've just notice that the security tracker
http://security-tracker.debian.net/tracker/status/release/unstable has
been
On Monday 18 February 2008 07:42:06 Kumar Appaiah wrote:
Dear Tim,
Many thanks for the constant support. The package should now be all
right with this change, available at the same location.
Not a problem - it seems to build cleanly now with no problems. I guess it
can be pushed to
tags 466146 pending
thanks
On Sun, Feb 17, 2008 at 05:51:38AM +, Tim Brown wrote:
Can I suggest that a password is set (perhaps take a look at the Debian MySQL
server package which does something similar for the debian-sys-maint in
the /etc/mysql/debian.cnf file). Limiting access to
On Sunday 17 February 2008 16:23:37 Kumar Appaiah wrote:
dget -x
http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6.
dsc
Please note that I now use debconf to ask for the password to be
entered. I have tested that the system works fine, but as this is my
first
On Sunday 17 February 2008 16:23:37 Kumar Appaiah wrote:
Please note that I now use debconf to ask for the password to be
entered. I have tested that the system works fine, but as this is my
first debconf experience, a quick review would be appreciated,
followed by upload, as this is a
On Sun, Feb 17, 2008 at 05:32:44PM +, Tim Brown wrote:
I've just built it here. It is lintian clean and the patch provides the
required security fix. However 2 small points, 1) The logging doesn't work
as /var/log/festival isn't created (and owned by festival,audio) 2)
Passwords are
On Monday 18 February 2008 01:40:00 Kumar Appaiah wrote:
On Sun, Feb 17, 2008 at 05:32:44PM +, Tim Brown wrote:
I've just built it here. It is lintian clean and the patch provides the
required security fix. However 2 small points, 1) The logging doesn't
work as /var/log/festival isn't
On 18/02/2008, Tim Brown wrote:
dget -x
http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6.
dsc
Looks good apart from Lintian reporting:
N:
N: chown user.group is called in one of the maintainer scripts. The
N: correct syntax is chown user:group. Using . as a
Package: festival
Version: 1.96~beta-5
Severity: critical
Tags: security
Justification: root security hole
Nth Dimension Security Advisory (NDSA20080215)
Date: 15th February 2008
Author: Tim Brown mailto:[EMAIL PROTECTED]
URL: http://www.nth-dimension.org.uk/ / http://www.machine.org.uk/
Product:
tags 466146 pending
thanks
Hi!
A package is ready for upload at mentors. Thanks for the report. If,
after consulting my sponsor and some security people, I find that it
is OK, it shall be uploaded.
Thanks!
Kumar
--
Kumar Appaiah,
458, Jamuna Hostel,
Indian Institute of Technology Madras,
On Sunday 17 February 2008 05:13:21 Kumar Appaiah wrote:
tags 466146 pending
thanks
Hi!
A package is ready for upload at mentors. Thanks for the report. If,
after consulting my sponsor and some security people, I find that it
is OK, it shall be uploaded.
Kumar,
Can I suggest that a
On Sun, Feb 17, 2008 at 05:51:38AM +, Tim Brown wrote:
A package is ready for upload at mentors. Thanks for the report. If,
after consulting my sponsor and some security people, I find that it
is OK, it shall be uploaded.
Kumar,
Can I suggest that a password is set (perhaps take a
23 matches
Mail list logo
