[Secure-testing-team] Status of unfixed security issues

Joey Hess joeyh at debian.org
Tue Apr 5 22:15:45 UTC 2005 

Moritz Muehlenhoff wrote:
> slash CAN-2002-1647
>  - Maintainer doesn't consider possible disclosure of user account passwords
>    a security problem. It should be explained to him, why this _is_ indeed
>    a (minor) security problem.

I tried and he ignored me with the comment that he's ignored others who
have tried to explain it to him. :-/

The fact that upstream apparently fixed it years ago and he's not even
updating the package is just weird.

> ssh CAN-2004-1653
>  - This can be closed, it's known and documented SSH behaviour. Any objections?

I'd been waiting for Colin to close it as the ssh maintainer. No
objections though.

> openwebmail CAN-2005-0445
>  - Fixed upstream and no maintainer reaction since six weeks. Given the fact that
>    another security issue is open for 2.5 months without reaction and 291478
>    describes the security state of the code as rather poor this package should
>    be given up for adoption or removed from sid as well. It's currently not part
>    of Sarge, but there's still about 100 sid users in popcon alone which use the
>    vulnerable version.

You should contact the MIA handling guys for this I think.

> tftpd-hpa CAN-2004-1485
>   - No maintainer reaction for seven weeks, but the proposed solution from Joey
>     seems correct.

I'll re-ping him, he's been responsive about non-security issues in the
past.

> mozilla-firefox CAN-2005-0233
>   - I guess we can marked this fixed for the testing tracking purposes. Spoofing
>     is no longer possible with IDN disabled and the punycode representation
>     present. It's a problem implicit in Unicode representations. Konqueror fixed
>     this by allowing IDN only for TLDs that have an anti-scam policy on Unicode,
>     but that's not necessarily a better solution. Objections?

I've been leaving it open only because the firefox maintainer noted that
he's not fully happy with the fix. OTOH, we could just throw in a NOTE
to that effect.

> tnftp CAN-2004-1294
>   - No maintainer reaction since 3.5 months. Someone prepared an updated package
>     of fixed upstream. Any DD willing to review and upload?

Also not in testing, probably due to this hole. I'd say let MIA know
about it, I don't know if I want to fix it if that ends up getting the
unmaintained package back into testing..

> lesstif1 CAN-2004-0914 and 0688 and 0687
>   - MOTIF 1.2 support is no longer maintained upstream and it has already proven
>     to be difficult to support for this issue. Is it really a good idea to keep
>     support for lesstif1 for at least three more years (till Sarge, Sarge life
>     cycle, Sarge-oldstable)? Only about two dozen binary packages still depend on
>     lesstif1, mostly legacy X11 applications that haven't been touched by their
>     maintainers for years. I just tried to "port" xsol simply by changing
>     build-depends and it worked without problems. Maybe it's doable to fix the
>     few remaining packages and drop lesstif1 before Sarge freeze? Comments?

I count about 30 that use lesstif1. It surely wouldn't hurt to file bugs
on all of them but it seems likely some would need more than a rebuild
and without mass MMUing I doubt we'd get them all fixed for sarge.
Still, it's probably the most viable way to avoid these CANs. We could
bring this up on debian-release and see what the RMs think about the
idea.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050405/64a691ca/attachment.pgp

More information about the Secure-testing-team mailing list