On Mon, Nov 17, 2008 at 01:13:23PM -0800, Devin Carraway wrote: > > mysql-dfsg-5.0 / CVE-2008-4098 > > Devin, you prepared the DSA. Since the upstream release is much more > > recent than > > Lenny and won't migrate, can you prepare an update for > > Lenny/testing-proposed-updates?
Proposed upload is here -- given the broad use of the package and the consequences of a mistake, can someone give it a look over? http://devin.com/debian/security/mysql-dfsg-5.0_lenny.debdiff http://devin.com/debian/security/mysql/lenny/ > > pidgin / CVE-2008-2955, CVE-2008-2956 > > Patch status unclear. I reviewed the patches; upstream claims that CVE-2008-2955 is already fixed by the version in Lenny; subsequent changes have improved protocol consistency following an attack but are not overtly security-relevant. The only extant patch for CVE-2008-2956 was submitted by the reporter, and has not been accepted either by upstream or by the Debian maintainer. Given the difficulty of real-world exploitation and the modest consequences thereof, I think we're better off letting this one be. -- Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
signature.asc
Description: Digital signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
