[Secure-testing-team] new list, update

Joey Hess joeyh at debian.org
Mon Nov 1 22:40:42 UTC 2004 

I've created this list and added the team to it so we can have an easier
way to talk amoung ourselves without having to CC everyone or find the
mails in the other traffic on debian-security. Hope that's ok. This is a
public mailing list, since we don't have any early vulnerability
disclosure. There's also a mailing list
secure-testing-commits at lists.alioth.debian.org that gets every commit to
the svn repository, which some might find useful.

We seem to be about done with 2004 CANs, I see only these that still
have TODO on them, and are probably some of the hard ones (mostly ones I
wimped out on actually):

CAN-2004-0813
        NOTE: ide-cd SG_IO vulnerability
        NOTE: should be fixed in recent 2.6 and 2.4 kernels
        TODO: check
CAN-2004-0745
        TODO: unsure if fixed, probably not. Mailed lha maintainer.
        NOTE: GOTO says first he heard of it, is checking.
CAN-2004-0667
        TODO: kernel-patch-adamantix may contain the RSBAC patch, check
CAN-2004-0658
        TODO: what kernel version fixed this?
CAN-2004-0619
        TODO: unchecked
CAN-2004-0576
        HELP: which one is GNU radius?
        TODO: unchecked
CAN-2004-0527
        TODO: unchecked
CAN-2004-0496
        TODO: unchecked
CAN-2004-0478
        NOTE: only a Mozilla DOS
        TODO: not even fixed upstream

I see that the CVE list is claimed by two of us all the way through
2003-0058, and 2004 is mostly done[1].

This is amazing progress..
And we've found a bunch of holes in sarge:

postgresql 7.4.6-1 needed, have 7.4.5-3 for CAN-2004-0977 [local; low]
perl (unfixed; bug #278404) for CAN-2004-0976 [local; low]
openssl (unfixed; bug #278260) for CAN-2004-0975 [local; low]
netatalk 1.6.4a-1 needed, have 1.6.4-2 for CAN-2004-0974 [local; low]
kbr5 (unfixed; bug #278271; not shipped in binary package) for CAN-2004-0971 [local; low]
arla (unfixed; bug #278273) for CAN-2004-0971 [local; low]
groff 1.18.1.1-2 needed, have 1.18.1.1-1 for CAN-2004-0969 [local; medium]
libc6 (unfixed; bug #278278) for CAN-2004-0968 [local; medium]
gs-common (unfixed; bug #278282) for CAN-2004-0967 [local; medium]
gettext 0.14.1-6 needed, have 0.14.1-5 for CAN-2004-0966 [local; medium]
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0909
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0908
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0906
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0905
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0904
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0903
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0902
apache2 2.0.53 needed, have 2.0.52-1 for CAN-2004-0885
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0746
konqueror 4:3.2.3-1.sarge.1 needed, have 4:3.2.2-1 for CAN-2004-0721
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0721
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0690
gnats 4.0-6.1 needed, have 4.0-6 for CAN-2004-0623
qla2x00-source (unfixed; bug #27870) for CAN-2004-0587
overkill 0.16-7 needed, have 0.16-6 for CAN-2004-0238
openssh (unfixed; bug #270770) for CAN-2004-0175
iptables 1.2.11-4 needed, have 1.2.11-2 for DSA-580-1
mpg123 0.59r-17 needed, have 0.59r-16 for DSA-578-1
postgresql 7.4.6-1 needed, have 7.4.5-3 for DSA-577-1
kpdf (unfixed; bug #278173) for DSA-573-1
gpdf 2.8.0-1 needed, have 2.8.0-0.1 for DSA-573-1
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for DSA-539

This suggests what needs to be done next: Followup on getting these
fixes into unstable (if the bugs arn't yet fixed) and into testing.
And at the same time, since checking the older CANs has found a couple
of unfixed issues, continue working back through 2003.

A few other things that could be done:

 - Our CAN list stops at CAN-2004-0979, but the highest CAN yet released
   is a bit higher. Tease a list of the newer CANs out of mitre's web
   site, and maybe come up with an automated way to add new ones to the
   list. Same for CVEs?
 - Set up some kind of web site on alioth.

Keep up the good work,

-- 
see shy jo

[1] Question to wart: did you mean to leave the "- " off the front of
    package names whose CAN's you've not fully tested, or was that a
    mistake? My script will not check these.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20041101/e7e93774/attachment.pgp

More information about the Secure-testing-team mailing list