On Tue, Nov 18, 2008 at 12:39:36AM +0100, Moritz Muehlenhoff wrote: > On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff wrote: > > Hi, > > I went through all the open Lenny security issues and commented on them > > briefly. Updated status below:
cups / CVE-2008-5183 Status needs checking dovecot / CVE-2008-4578 Upstream patch for 1.1 in #502967, needs backport. The issue itself looks harmless, might be suitable for no-dsa for Lenny ffmpeg-debian / CVE-2008-4869 It's a bit silly to single out a few security problems, since ffmpeg issues aren't systematically tracked. Maintainer has prepared patches for this, but no further reaction so far. flamethrower / CVE-2008-5141 Dann has already prepared an update, but it's not been uploaded yet. geshi / CVE-2008-5185 No maintainer reaction so far, pinged. iceape / many Fixed in unstable, but the stable maintenance is still not sorted out icedove / many No fix uploaded yet. linux-2.6 / CVE-2007-6514 This one needs retesting with current kernels. ltp / CVE-2008-4969, CVE-2008-5145 Documented as insecure, but not properly applied yet mailscanner / CVE-2008-5140 and more mentioned in the Debian bug No fix yet. mplayer / CVE-2007-6718 (Nico) The infinite loop is harmless, the other two open issues should be checked in more depth, but the appear as regular bugs rather than security issues. mplayer / CVE-2008-4610 (Nico) The ogm file is handled gracefully, the aac file crashes mplayer, but needs some checking, whether it's really a security problem. msp-webserver / CVE-2008-5160 Appears to have many quality issues, pushed for removal mysql-dfsg-5.0 / CVE-2008-4098 (Devin) Devin prepared an update for testing-proposed-updates, acked by RMs. nagios3 / CVE-2008-5028 Maintainer wanted to have had it ready by last friday, needs prodding. openldap / #253838 Upstream fixed it, still needs upload p3nfs / CVE-2008-5154 Unfixed, no maintainer reaction pidgin / CVE-2008-2955, CVE-2008-2956 (Devin) Patch status unclear. qemu / CVE-2008-0928 Patches break existing images. qemu / CVE-2008-4539 Fixed in experimental, unstable still needed. quassel / #506550 Maintainer apparently has an update ready, but needs a sponsor. redhat-cluster CVE-2008-4192 / CVE-2008-4579 / CVE-2008-4580 (Stefan) Fixed in unstable, needs lenny backports ruby1.9 / CVE-2008-3443 (Moritz) Patch received from upstream, maintainers are preparing an update. smarty CVE-2008-4810 / CVE-2008-4811 -4810 is about the original bug, -4811 is about the incomplete fix for all the attack vectors. Raphael will ask on oss list. smsclient / CVE-2008-5155 Patch available, but no maintainer reaction since september 2008 tkman / CVE-2008-5137 Unfixed verlihub / #506530 Unfixed, no maintainer reaction, obscure fringe package wireshark / #506741 Unfixed, minor issue xemacs21 / CVE-2008-2142 xemacs seems fairly unmaintained, so this likely needs a NMU. xen-3 /CVE-2008-4993, CVE-2008-2004, CVE-2008-4405 Patches can be picked from Red Hat, since they've already released updates. xine-lib #498243 Thomas Viehmann was working on patches, is working with Darren Salt, who's both the maintainer and upstream Unclear older Mozilla issues, the ones w/o references to Mozilla bug entries should be sent to [EMAIL PROTECTED] for status/clarification: (Moritz) xulrunner CVE-2007-3144, CVE-2007-3827 iceape CVE-2007-1084, CVE-2007-3144, CVE-2007-3827 icedove CVE-2008-0419 iceweasel CVE-2007-1084, CVE-2007-1970, CVE-2007-3144, CVE-2007-3827, CVE-2008-0367, CVE-2008-2419 _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
