[Secure-testing-team] Status of unfixed security issues

Moritz Muehlenhoff jmm at inutil.org
Wed Apr 6 19:24:00 UTC 2005 

Joey Hess wrote:
> > slash CAN-2002-1647
> >  - Maintainer doesn't consider possible disclosure of user account passwords
> >    a security problem. It should be explained to him, why this _is_ indeed
> >    a (minor) security problem.
> 
> I tried and he ignored me with the comment that he's ignored others who
> have tried to explain it to him. :-/
> 
> The fact that upstream apparently fixed it years ago and he's not even
> updating the package is just weird.

The latest stable slash release still seems to be 2.2.6, as shipped in Debian.
Maybe it's more convincing with a patch from upstream?

> > ssh CAN-2004-1653
> >  - This can be closed, it's known and documented SSH behaviour. Any objections?
> 
> I'd been waiting for Colin to close it as the ssh maintainer. No
> objections though.

Ok, I've removed it from the list of unfixed bugs and we can leave it to Colin to
close the bug itself.

> > tnftp CAN-2004-1294
> >   - No maintainer reaction since 3.5 months. Someone prepared an updated package
> >     of fixed upstream. Any DD willing to review and upload?
> 
> Also not in testing, probably due to this hole. I'd say let MIA know
> about it, I don't know if I want to fix it if that ends up getting the
> unmaintained package back into testing..

Well yes, that's probably for the best.
The maintainer is not MIA, probably just overloaded with more important packages like 
Mozilla.

> I count about 30 that use lesstif1. It surely wouldn't hurt to file bugs
> on all of them but it seems likely some would need more than a rebuild
> and without mass MMUing I doubt we'd get them all fixed for sarge.
> Still, it's probably the most viable way to avoid these CANs. We could
> bring this up on debian-release and see what the RMs think about the
> idea.

Yes, that sounds like a plan. But before this is done the situation should be
evaluated further wrt affected src packages, their interdependencies and a
deeper look at the MOTIF documentation. I can do this, but I'm busy until
friday. 

Cheers,
        Moritz

More information about the Secure-testing-team mailing list