[Secure-testing-team] done with the woody CANs

Wed Nov 17 23:40:33 UTC 2004

We seem to be done with checking all of the woody CANs, a grep for TODO
in the list finds only a few things that we're waiting for updates or a
more thurough check on, and two or three really hard to check CANs, all
the rest checked. 

I'd like to post on -release and let them know that all the old CANs
have been verified fixed or have bugs in the BTS. There's still over 200
CVEs to check though, and I'll wait for that and for any remaining
followup on the CANs.

My check script shows piles of holes we now know are still present in
sarge. I've seen a lot of things fixed thanks to our work, but I think
we need to get more agressive about making NMUs for unfixed security
bugs. Here's the full list of unfixed things:

fcron 2.9.5.1 (unfixed; bug #281436) for CAN-2004-1033
fcron 2.9.5.1 (unfixed; bug #281436) for CAN-2004-1032
fcron 2.9.5.1 (unfixed; bug #281436) for CAN-2004-1031
fcron 2.9.5.1 (unfixed; bug #281436) for CAN-2004-1030
zip 2.30-7 needed, have 2.30-6 for CAN-2004-1010
ppp 2.4.2+20040428-3 needed, have 2.4.2+20040428-2 for CAN-2004-1002
iptables 1.2.11-4 needed, have 1.2.11-2 for CAN-2004-0986
mailutils 1:0.5-4 needed, have 1:0.5-3 for CAN-2004-0984
perl 5.8.4-4 needed, have 5.8.4-3 for CAN-2004-0976
openssl 0.9.7e-1 needed, have 0.9.7d-5 for CAN-2004-0975
kbr5 (unfixed; bug #278271; not shipped in binary package) for CAN-2004-0971
libc6 (unfixed; bug #278278) for CAN-2004-0968
apache 1.3.33-2 needed, have 1.3.31-7 for CAN-2004-0940
koffice 1:1.3.4-1 needed, have 1:1.3.2-1.sarge.1 for CAN-2004-0888
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0746
konqueror 4:3.2.3-1.sarge.1 needed, have 4:3.2.2-1 for CAN-2004-0721
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0721
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0690
qla2x00-source 7.01.01-1 needed, have 6.6.10-2 for CAN-2004-0587
openssh (unfixed; bug #270770) for CAN-2004-0175 [very low]
openslp (unfixed; bug #279973; only problem in source package) for CAN-2003-0875 [source package only]
gtkhtml (unfixed; bug #279726) for CAN-2003-0541
kernel-source-2.4.27 (unfixed; bug #280492) for CAN-2003-0465 strncpy in kernel does not pad with zeroes
ssh (unfixed; bug #281595) for CAN-2003-0190
exim (unfixed; bug #171774) for CVE-2002-1381
apache 1.3.33-2 needed, have 1.3.31-7 for DSA-594-1
libgd1 (unfixed; bug #280134) for DSA-589-1
iptables 1.2.11-4 needed, have 1.2.11-2 for DSA-580-1
kpdf 4:3.3.1-1 needed, have 4:3.2.3-1.1 for DSA-573-1
kfax 4:3.3.1-1 needed, have 4:3.2.3-1.1 for DSA-573-1
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for DSA-539

It's amazing that we've turned up CANs from 2002 and 2003 that are not yet
fixed in sarge.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20041117/5182966e/attachment.pgp