[Secure-testing-team] Lenny security bug sprint

Moritz Muehlenhoff jmm at inutil.org
Mon Nov 17 05:55:13 UTC 2008 

Hi,
I went through all the open Lenny security issues and commented on them
briefly. If everyone picks two and fixes them (or brings the respective
maintainter into fixing them :-), we'll have a lot less work post release.

Cheers,
        Moritz

dia / #504251
  Unfixed, no maintainer reaction, patch available

dovecot / CVE-2008-4578
  Upstream patch for 1.1 in #502967, needs backport. The issue itself
  looks harmless, might be suitable for no-dsa for Lenny

egroupware / CVE-2007-3215
  Should be fixed by using the system wide libphp-mailer, #504283,
  I remember vaguely that the phpmailer issue is only exploitable
  if certain preconditions are met, it should be checked, whether these
  really apply to egroupware.

liquidsoap / CVE-2008-4965
  Fixed in a DTSA, but doesn't seem to have reached Lenny yet?

glibc / CVE-2008-1447
  Florian, do you know the status of a hardened resolver?

movabletype-opensource / CVE-2008-4634
  Upstream says that more issues are coming, no reaction from upstream since 8 Nov 2008
  Patch for XSS issue is extracted

mysql-dfsg-5.0 / CVE-2008-4098
  Devin, you prepared the DSA. Since the upstream release is much more recent than
  Lenny and won't migrate, can you prepare an update for Lenny/testing-proposed-updates?

ffmpeg-debian / CVE-2008-4869
  It's a bit silly to single out a few security problems, since ffmpeg
  issues aren't systematically tracked. Maintainer has prepared patches for
  this.

ktorrent / #504178
  The ktorrent2.2 package was fixed already, prodded maintainer .

opendb / CVE-2008-4796
  Filed for removal, #505728. Make sure it's removed before Lenny release.

linux-2.6 / CVE-2007-6514
  This one needs retesting with current kernels.

linux-2.6 / CVE-2008-4933, CVE-2008-4934, CVE-2008-5025,CVE-2008-5029
  Patches are available upstream, should be merged into the next -11 upload.

mplayer / CVE-2007-6718
  The infinite loop is harmless, the other two open issues should be checked
  in more depth, but the appear as regular bugs rather than security issues.

mplayer / CVE-2008-4610
  The ogm file is handled gracefully, the aac file crashes mplayer, but needs
  some checking, whether it's really a security problem.

nagios3 / CVE-2008-5028
  The maintainer is working on an update.

openldap / #253838 
  Needs more prodding.

php5 / CVE-2008-4107
  php-suhosin provides proper randomisation, but this needs more visible documentation.
  Maybe the release notes or the existing README.Debian.security?

pidgin / CVE-2008-2955, CVE-2008-2956
  Patch status unclear.

python2.[45] / CVE-2008-4864
  2.5 fixed in unstable, 2.4 missing.

qemu / CVE-2008-0928
  Patches break existing images.

qemu / CVE-2008-4539
  Fixed in experimental, unstable still needed.

redhat-cluster CVE-2008-4192 / CVE-2008-4579 / CVE-2008-4580
  Fixed in unstable, need lenny backports

ruby1.9 / CVE-2008-3443
  This one's unclear. This needs to be reproduced with the milw0rm
  POC and checked with upstream (other Ruby regex issues were recently
  fixed).

ruby1.9 / CVE-2008-3905
  Maybe this is already fixed and was only forgotten in the changelog,
  needs further checks or contacting the maintainer.

smarty CVE-2008-4810 / CVE-2008-4811
  I'm not sure about the exact status.

tor / #505178
  Fixed in experimental, Peter will fix it for Lenny with an upcoming point
  release.

xemacs21 / CVE-2008-2142
  xemacs seems fairly unmaintained, so this likely needs a NMU.

xen-3 /CVE-2008-4993, CVE-2008-2004, CVE-2008-4405
  Patches can be picked from Red Hat, since they've already released updates.

xine-lib #498243
  No upstream patches, but the descriptions in the advisory are fairly verbose.

universalindentgui (#504726)
  Patch available in the bug, but package and the patch need further cleanups. It might
  also be an option to drop it from Lenny and let it mature more for Squeeze.

wordpress (504771)
  No patch yet.

Unclear older Mozilla issues, the ones w/o references to Mozilla bug entries
should be sent to security at mozilla.org for status/clarification:

xulrunner              CVE-2007-3144, CVE-2007-3827
iceape                 CVE-2007-1084, CVE-2007-3144, CVE-2007-3827
icedove                CVE-2008-0419
iceweasel              CVE-2007-1084, CVE-2007-1970, CVE-2007-3144, CVE-2007-3827, CVE-2008-0367, CVE-2008-2419

More information about the Secure-testing-team mailing list