On Wed, Nov 26, 2008 at 12:50:19AM -0800, Devin Carraway wrote:
> On Mon, Nov 17, 2008 at 01:13:23PM -0800, Devin Carraway wrote:
> > > mysql-dfsg-5.0 / CVE-2008-4098
> > > Devin, you prepared the DSA. Since the upstream release is much more
> > > recent than
> > > Lenny and won't migrate, can you prepare an update for
> > > Lenny/testing-proposed-updates?
>
> Proposed upload is here -- given the broad use of the package and the
> consequences of a mistake, can someone give it a look over?
>
> http://devin.com/debian/security/mysql-dfsg-5.0_lenny.debdiff
> http://devin.com/debian/security/mysql/lenny/
>
> > > pidgin / CVE-2008-2955, CVE-2008-2956
> > > Patch status unclear.
>
> I reviewed the patches; upstream claims that CVE-2008-2955 is already fixed by
> the version in Lenny; subsequent changes have improved protocol consistency
> following an attack but are not overtly security-relevant.
Ack, commited to tracker.
> The only extant
> patch for CVE-2008-2956 was submitted by the reporter, and has not been
> accepted either by upstream or by the Debian maintainer. Given the difficulty
> of real-world exploitation and the modest consequences thereof, I think we're
> better off letting this one be.
I've commited it as lenny no-dsa, if a patch emerges later we can fix it along
with more serious issues, if any arrive later of the time frame of the Lenny
support.
Cheers,
Moritz
_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
