On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff wrote: > Hi, > I went through all the open Lenny security issues and commented on them > briefly.
Updated status below: dovecot / CVE-2008-4578 Upstream patch for 1.1 in #502967, needs backport. The issue itself looks harmless, might be suitable for no-dsa for Lenny liquidsoap / CVE-2008-4965 Fixed in a DTSA, but doesn't seem to have reached Lenny yet? Currenly waiting for hppa build glibc / CVE-2008-1447 Florian, do you know the status of a hardened resolver? movabletype-opensource / CVE-2008-4634 (Dominic) Upstream says that more issues are coming, no reaction from upstream since 8 Nov 2008 Patch for XSS issue is extracted. Dominic will revisit this week. mysql-dfsg-5.0 / CVE-2008-4098 (Devin) Devin, you prepared the DSA. Since the upstream release is much more recent than Lenny and won't migrate, can you prepare an update for Lenny/testing-proposed-updates? ffmpeg-debian / CVE-2008-4869 It's a bit silly to single out a few security problems, since ffmpeg issues aren't systematically tracked. Maintainer has prepared patches for this. opendb / CVE-2008-4796 Filed for removal, #505728. Make sure it's removed before Lenny release. linux-2.6 / CVE-2007-6514 This one needs retesting with current kernels. mplayer / CVE-2007-6718 (Nico) The infinite loop is harmless, the other two open issues should be checked in more depth, but the appear as regular bugs rather than security issues. mplayer / CVE-2008-4610 (Nico) The ogm file is handled gracefully, the aac file crashes mplayer, but needs some checking, whether it's really a security problem. nagios3 / CVE-2008-5028 The maintainer is working on an update. openldap / #253838 Needs more prodding. pidgin / CVE-2008-2955, CVE-2008-2956 (Devin) Patch status unclear. python2.[45] / CVE-2008-4864 2.5 fixed in unstable, 2.4 missing. qemu / CVE-2008-0928 Patches break existing images. qemu / CVE-2008-4539 Fixed in experimental, unstable still needed. redhat-cluster CVE-2008-4192 / CVE-2008-4579 / CVE-2008-4580 (Stefan) Fixed in unstable, need lenny backports ruby1.9 / CVE-2008-3443 (Moritz) This one's unclear. Code in 1.9 is very different from 1.8. Upstream has been contacted to clarify. smarty CVE-2008-4810 / CVE-2008-4811 -4810 is about the original bug, -4811 is about the incomplete fix for all the attack vectors. Raphael hasn't heard from upstream about -4811 tor / #505178 Fixed in experimental, Peter will fix it for Lenny with an upcoming point release. xemacs21 / CVE-2008-2142 xemacs seems fairly unmaintained, so this likely needs a NMU. xen-3 /CVE-2008-4993, CVE-2008-2004, CVE-2008-4405 Patches can be picked from Red Hat, since they've already released updates. xine-lib #498243 No upstream patches, but the descriptions in the advisory are fairly verbose. universalindentgui (#504726) Patch available in the bug, but package and the patch need further cleanups. It might also be an option to drop it from Lenny and let it mature more for Squeeze. wordpress (504771) Needs a sponsored upload. Unclear older Mozilla issues, the ones w/o references to Mozilla bug entries should be sent to [EMAIL PROTECTED] for status/clarification: (Moritz) xulrunner CVE-2007-3144, CVE-2007-3827 iceape CVE-2007-1084, CVE-2007-3144, CVE-2007-3827 icedove CVE-2008-0419 iceweasel CVE-2007-1084, CVE-2007-1970, CVE-2007-3144, CVE-2007-3827, CVE-2008-0367, CVE-2008-2419 _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
