[Secure-testing-team] Status of unfixed security issues

Moritz Muehlenhoff jmm at inutil.org
Tue Apr 5 21:49:53 UTC 2005 

Hi,
I just had a look at the unfixed issues older than two days and would
like to point your attention to some points:

smail CAN-2005-0893
 - It's fixed for the upcoming version (to be released at 8th Apr for the
   latest) by preallocating the message strings.

slash CAN-2002-1647
 - Maintainer doesn't consider possible disclosure of user account passwords
   a security problem. It should be explained to him, why this _is_ indeed
   a (minor) security problem.

ssh CAN-2004-1653
 - This can be closed, it's known and documented SSH behaviour. Any objections?

openwebmail CAN-2005-0445
 - Fixed upstream and no maintainer reaction since six weeks. Given the fact that
   another security issue is open for 2.5 months without reaction and 291478
   describes the security state of the code as rather poor this package should
   be given up for adoption or removed from sid as well. It's currently not part
   of Sarge, but there's still about 100 sid users in popcon alone which use the
   vulnerable version.

imagemagick CAN-2005-0406
 - This requires more than a few one liners to fix, but it doesn't seem as
   it has reached upstream's attention yet. There's nothing on -dev or -bugs.
   Someone should write up a summary and a proposal to fix this for upstream.

wget CAN-2004-1488 and 1487
  - IIRC upstream was working on the fixes, which were rather massive. As there's
    a recent wget-cvs in experimental it should be checked whether these issue
    are addressed in that version.

tftpd-hpa CAN-2004-1485
  - No maintainer reaction for seven weeks, but the proposed solution from Joey
    seems correct.

mozilla-firefox CAN-2005-0233
  - I guess we can marked this fixed for the testing tracking purposes. Spoofing
    is no longer possible with IDN disabled and the punycode representation
    present. It's a problem implicit in Unicode representations. Konqueror fixed
    this by allowing IDN only for TLDs that have an anti-scam policy on Unicode,
    but that's not necessarily a better solution. Objections?

tnftp CAN-2004-1294
  - No maintainer reaction since 3.5 months. Someone prepared an updated package
    of fixed upstream. Any DD willing to review and upload?

lesstif1 CAN-2004-0914 and 0688 and 0687
  - MOTIF 1.2 support is no longer maintained upstream and it has already proven
    to be difficult to support for this issue. Is it really a good idea to keep
    support for lesstif1 for at least three more years (till Sarge, Sarge life
    cycle, Sarge-oldstable)? Only about two dozen binary packages still depend on
    lesstif1, mostly legacy X11 applications that haven't been touched by their
    maintainers for years. I just tried to "port" xsol simply by changing
    build-depends and it worked without problems. Maybe it's doable to fix the
    few remaining packages and drop lesstif1 before Sarge freeze? Comments?

Cheers,
        Moritz

More information about the Secure-testing-team mailing list