[Secure-testing-team] report on current state of sarge security
Joey Hess
joeyh at debian.org
Tue Nov 23 20:15:17 UTC 2004
Over the past couple of weeks the testing security team has reviewed all
CAN and CVE entries announced since the release of woody, to check which
of these security holes are still present in sarge. Adding this to the
earlier work to review DSAs, we now have a pretty good picture of
unfixed security holes in sarge, and can be reasonably sure that there
are no old forgotten security holes that never got a fix into sarge. Although
it's always possible we missed some or made mistakes, and we still have 50
or so items marked TODO or HELP.
We checked about 2700 items, of these about 600 had affected Debian at
some point, and 26 remain unfixed in sarge:
kaffeine 0.4.3.1-3 needed, have 0.4.3-1 for CAN-2004-1034
Blocked by kde, t-p-u upload candidate.
gxine (unfixed; bug #279747) for CAN-2004-1034
Was supposed to be fixed last weekend, was not, NMU candidate.
fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1033
fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1032
fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1031
fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1030
Blocked by libselinux (should go in in 4 days).
zip 2.30-8 needed, have 2.30-6 for CAN-2004-1010
Held out by missing hppa build.
ppp 2.4.2+20040428-3 needed, have 2.4.2+20040428-2 for CAN-2004-1002
Candidate for to be forced into testing, if the diff seems sane
to RMs. If not we should backport only the security fix to t-p-u.
iptables 1.2.11-4 needed, have 1.2.11-2 for CAN-2004-0986
Candidate for to be forced into testing, if the diff seems sane
to RMs. Changes seem minimal and necessary.
mailutils 1:0.5-4 needed, have 1:0.5-3 for CAN-2004-0984
A missing mips build apparently happened 5 Nov, but was not uploaded.
FTBFS on s390 due to test suite failures, which has happened before
(#192962, #265490).
perl 5.8.4-4 needed, have 5.8.4-3 for CAN-2004-0976
FTBFS on mipsel due to test suite failures.
Note that this happened for -3 also, and yet it somehow got built
and into sarge anyway. How?
openssl 0.9.7e-1 needed, have 0.9.7d-5 for CAN-2004-0975
New upstream with several security fixes, needs RM review.
libc6 (unfixed; bug #278278) for CAN-2004-0968
So far no response from maintainers. NMU candidate, if this wasn't
glibc..
samba 3.0.8-1 needed, have 3.0.7-2 for CAN-2004-0930
Missing alpha build from 18th.
koffice 1:1.3.4-1 needed, have 1:1.3.2-1.sarge.1 for CAN-2004-0888
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0746
konqueror 4:3.2.3-1.sarge.1 needed, have 4:3.2.2-1 for CAN-2004-0721
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0721
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0690
All of these are fixed in t-p-u, but blocked for well understood
reasons.
kernel-source-2.4.27 (unfixed; bug #280492) for CAN-2003-0465 strncpy in kernel does not pad with zeroes
May not be a RC security hole.
ssh (unfixed; bug #281595) for CAN-2003-0190
Limited vulneraility (information leak).
apache 1.3.33-2 needed, have 1.3.31-7 for DSA-594-1
Was uploaded with wrong urgency, should have an urgent hint added.
libgd1 (unfixed; bug #280134) for DSA-589-1
Unknown delay getting patch applied, NMU candidate.
kpdf 4:3.3.1-1 needed, have 4:3.2.3-1.1 for DSA-573-1
kfax 4:3.3.1-1 needed, have 4:3.2.3-1.1 for DSA-573-1
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for DSA-539
IIRC fixes for these are not in t-p-u yet.
--
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20041123/1b771f87/attachment.pgp
More information about the Secure-testing-team
mailing list