[Secure-testing-team] Lenny security bug sprint

Moritz Muehlenhoff jmm at inutil.org
Fri Nov 28 19:23:25 UTC 2008 

On Tue, Nov 18, 2008 at 12:39:36AM +0100, Moritz Muehlenhoff wrote:
> On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff wrote:
> > Hi,
> > I went through all the open Lenny security issues and commented on them
> > briefly. 
 
Updated status below:

cups / CVE-2008-5183
  Status needs checking

dovecot / CVE-2008-4578
  Upstream patch for 1.1 in #502967, needs backport. The issue itself
  looks harmless, might be suitable for no-dsa for Lenny

ffmpeg-debian / CVE-2008-4869
  It's a bit silly to single out a few security problems, since ffmpeg
  issues aren't systematically tracked. Maintainer has prepared patches for
  this, but no further reaction so far.

flamethrower / CVE-2008-5141
  Dann has already prepared an update, but it's not been uploaded yet.

geshi / CVE-2008-5185
  No maintainer reaction so far, pinged.

iceape / many
  Fixed in unstable, but the stable maintenance is still not sorted out

icedove / many
  No fix uploaded yet.

linux-2.6 / CVE-2007-6514
  This one needs retesting with current kernels.

ltp / CVE-2008-4969, CVE-2008-5145
  Documented as insecure, but not properly applied yet

mailscanner / CVE-2008-5140 and more mentioned in the Debian bug
  No fix yet.

mplayer / CVE-2007-6718 (Nico)
  The infinite loop is harmless, the other two open issues should be checked
  in more depth, but the appear as regular bugs rather than security issues.

mplayer / CVE-2008-4610 (Nico)
  The ogm file is handled gracefully, the aac file crashes mplayer, but needs
  some checking, whether it's really a security problem.

msp-webserver / CVE-2008-5160
  Appears to have many quality issues, pushed for removal

mysql-dfsg-5.0 / CVE-2008-4098 (Devin)
  Devin prepared an update for testing-proposed-updates, acked by RMs.

nagios3 / CVE-2008-5028
  Maintainer wanted to have had it ready by last friday, needs prodding. 

openldap / #253838 
  Upstream fixed it, still needs upload

p3nfs / CVE-2008-5154
  Unfixed, no maintainer reaction

pidgin / CVE-2008-2955, CVE-2008-2956 (Devin)
  Patch status unclear.

qemu / CVE-2008-0928
  Patches break existing images.

qemu / CVE-2008-4539
  Fixed in experimental, unstable still needed.

quassel / #506550
  Maintainer apparently has an update ready, but needs a sponsor.

redhat-cluster CVE-2008-4192 / CVE-2008-4579 / CVE-2008-4580 (Stefan)
  Fixed in unstable, needs lenny backports

ruby1.9 / CVE-2008-3443 (Moritz)
  Patch received from upstream, maintainers are preparing an update.

smarty CVE-2008-4810 / CVE-2008-4811
  -4810 is about the original bug, -4811 is about the incomplete fix for all the
  attack vectors. Raphael will ask on oss list.

smsclient / CVE-2008-5155
  Patch available, but no maintainer reaction since september 2008

tkman / CVE-2008-5137
  Unfixed

verlihub / #506530
  Unfixed, no maintainer reaction, obscure fringe package

wireshark / #506741
  Unfixed, minor issue

xemacs21 / CVE-2008-2142
  xemacs seems fairly unmaintained, so this likely needs a NMU.

xen-3 /CVE-2008-4993, CVE-2008-2004, CVE-2008-4405
  Patches can be picked from Red Hat, since they've already released updates.

xine-lib #498243
  Thomas Viehmann was working on patches, is working with Darren Salt,
  who's both the maintainer and upstream


Unclear older Mozilla issues, the ones w/o references to Mozilla bug entries
should be sent to security at mozilla.org for status/clarification: (Moritz)

xulrunner              CVE-2007-3144, CVE-2007-3827
iceape                 CVE-2007-1084, CVE-2007-3144, CVE-2007-3827
icedove                CVE-2008-0419
iceweasel              CVE-2007-1084, CVE-2007-1970, CVE-2007-3144, CVE-2007-3827, CVE-2008-0367, CVE-2008-2419

More information about the Secure-testing-team mailing list