[Secure-testing-team] Updates for testing-security track page

Francesco Poli frx at firenze.linux.it
Sun Jun 4 22:14:36 UTC 2006 

Hi all!

Joey Hess suggested me to report issues like the following to this list.

By giving a look to some vulnerabilities listed in the testing-security
track page (http://spohr.debian.org/~joeyh/testing-security.html), I
noticed that some data don't seem to be updated.

For example:


* mozilla-thunderbird (unfixed) for CVE-2006-0836, CVE-2006-0295,
CVE-2006-0298, CVE-2006-0299, CVE-2006-0297, CVE-2006-0294,
CVE-2005-3402

Since mozilla-thunderbird is now a dummy transitional package, its
vulnerabilities should be attributed to the real package (that is to
say, thunderbird).
Out of these 7 issues, 5 are claimed[1] to be fixed in thunderbird
version 1.5.0.2-1, which has already migrated to testing (for all archs,
except s390 which is not release candidate, though).
Those 5 seemingly solved issues are:
CVE-2006-0294 CVE-2006-0295 CVE-2006-0297 CVE-2006-0298 CVE-2006-0299

The remaining 2 vulnerabilities (CVE-2006-0836 and CVE-2005-3402) are
maybe still present in sid (package thunderbird, I think).

Is this correct?

[1] by  http://spohr.debian.org/~joeyh/testing-security.html  itself


* mysql-dfsg (unfixed; bug #365939) for CVE-2006-1518, CVE-2006-1517,
CVE-2006-1516

The bug report[2] refers to package mysql-server-5.0 and claims that
the issue is fixed in mysql-dfsg-5.0 version 5.0.21-1, which is
superseded by 5.0.22-2 in sid.
Testing seems to be still vulnerable, because it has version 5.0.20-1.

[2] http://bugs.debian.org/365939
[3] http://bjorn.haxx.se/debian/testing.pl?package=mysql-server-5.0



Please note that I'm (slowly) performing other similar checks, hence
other reports like this could reach this list in the future.
Joey Hess told me that the bug status tracking is still done manually: I
hope it can be automated soon!



P.S.: I am not subscribed to the list, so, please, Cc: me on replies, if
      any. Thanks.


-- 
    :-(   This Universe is buggy! Where's the Creator's BTS?   ;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060605/7fd64283/attachment.pgp

More information about the Secure-testing-team mailing list