[Secure-testing-team] Re: [Secure-testing-commits] r3588 - data/CVE
Moritz Muehlenhoff
jmm at inutil.org
Sat Mar 11 11:43:10 UTC 2006
SALVETTI Djoumé wrote:
> Author: djoume-guest
> Date: 2006-03-10 20:35:44 +0000 (Fri, 10 Mar 2006)
> New Revision: 3588
>
> Modified:
> data/CVE/list
> Log:
> * some NFUs
> * flex issue, I'm looking for someone aware about the
> coordination with ubuntu about this issue.
>
> CVE-2006-0975 (Multiple unspecified vulnerabilities in Will Estes and John Millaway ...)
> - TODO: check
> + - flex 2.5.33-1
> + NOTE: There are other package affected by this vulnerability
> + NOTE: Martin Pitt has built a list for ubuntu and also mentionned that
> + NOTE: "Coordination with Debian has happened".
> + NOTE: Could someone aware about this please update this entry?
> + NOTE: See : https://launchpad.net/distros/ubuntu/+source/flex/+bug/30940
Neil ran the detection script for Sarge and unstable on his private mirror.
I've just commited the list of affected packages in SVN. Please help evaluate
the affected source packages up to which extent they use the vulnerable
and if there's an exploit vector. I've already started, but have been too
busy to make further progress. Help is welcome.
A flex fix is already prepared, but failed with mysterious failures on sparc,
ia64 and powerpc. For some reason the build system believes the included .l
were been changed and tries to rebuild the .l files from source, which
fails as flex doesn't build depend on flex. I'll build them manually on porter
machines later the week end. After that affected flex using packages will be
rebuilt.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list