[Secure-testing-team] Lenny security bug sprint

Moritz Muehlenhoff jmm at inutil.org
Mon Nov 17 23:39:36 UTC 2008 

On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff wrote:
> Hi,
> I went through all the open Lenny security issues and commented on them
> briefly. 

Updated status below:

dovecot / CVE-2008-4578
  Upstream patch for 1.1 in #502967, needs backport. The issue itself
  looks harmless, might be suitable for no-dsa for Lenny

liquidsoap / CVE-2008-4965
  Fixed in a DTSA, but doesn't seem to have reached Lenny yet?
  Currenly waiting for hppa build

glibc / CVE-2008-1447
  Florian, do you know the status of a hardened resolver?

movabletype-opensource / CVE-2008-4634 (Dominic)
  Upstream says that more issues are coming, no reaction from upstream since 8 Nov 2008
  Patch for XSS issue is extracted. Dominic will revisit this week.

mysql-dfsg-5.0 / CVE-2008-4098 (Devin)
  Devin, you prepared the DSA. Since the upstream release is much more recent than
  Lenny and won't migrate, can you prepare an update for Lenny/testing-proposed-updates?

ffmpeg-debian / CVE-2008-4869
  It's a bit silly to single out a few security problems, since ffmpeg
  issues aren't systematically tracked. Maintainer has prepared patches for
  this.

opendb / CVE-2008-4796
  Filed for removal, #505728. Make sure it's removed before Lenny release.

linux-2.6 / CVE-2007-6514
  This one needs retesting with current kernels.

mplayer / CVE-2007-6718 (Nico)
  The infinite loop is harmless, the other two open issues should be checked
  in more depth, but the appear as regular bugs rather than security issues.

mplayer / CVE-2008-4610 (Nico)
  The ogm file is handled gracefully, the aac file crashes mplayer, but needs
  some checking, whether it's really a security problem.

nagios3 / CVE-2008-5028
  The maintainer is working on an update.

openldap / #253838
  Needs more prodding.

pidgin / CVE-2008-2955, CVE-2008-2956 (Devin)
  Patch status unclear.

python2.[45] / CVE-2008-4864
  2.5 fixed in unstable, 2.4 missing.

qemu / CVE-2008-0928
  Patches break existing images.

qemu / CVE-2008-4539
  Fixed in experimental, unstable still needed.

redhat-cluster CVE-2008-4192 / CVE-2008-4579 / CVE-2008-4580 (Stefan)
  Fixed in unstable, need lenny backports

ruby1.9 / CVE-2008-3443 (Moritz)
  This one's unclear. Code in 1.9 is very different from 1.8. Upstream
  has been contacted to clarify.

smarty CVE-2008-4810 / CVE-2008-4811
  -4810 is about the original bug, -4811 is about the incomplete fix for all the
  attack vectors. Raphael hasn't heard from upstream about -4811

tor / #505178
  Fixed in experimental, Peter will fix it for Lenny with an upcoming point
  release.

xemacs21 / CVE-2008-2142
  xemacs seems fairly unmaintained, so this likely needs a NMU.

xen-3 /CVE-2008-4993, CVE-2008-2004, CVE-2008-4405
  Patches can be picked from Red Hat, since they've already released updates.

xine-lib #498243
  No upstream patches, but the descriptions in the advisory are fairly verbose.

universalindentgui (#504726)
  Patch available in the bug, but package and the patch need further cleanups. It might
  also be an option to drop it from Lenny and let it mature more for Squeeze.

wordpress (504771)
  Needs a sponsored upload.

Unclear older Mozilla issues, the ones w/o references to Mozilla bug entries
should be sent to security at mozilla.org for status/clarification: (Moritz)

xulrunner              CVE-2007-3144, CVE-2007-3827
iceape                 CVE-2007-1084, CVE-2007-3144, CVE-2007-3827
icedove                CVE-2008-0419
iceweasel              CVE-2007-1084, CVE-2007-1970, CVE-2007-3144, CVE-2007-3827, CVE-2008-0367, CVE-2008-2419

More information about the Secure-testing-team mailing list