[Secure-testing-team] Lenny security bug sprint

Moritz Muehlenhoff jmm at inutil.org
Fri Nov 28 21:35:42 UTC 2008


On Wed, Nov 26, 2008 at 12:50:19AM -0800, Devin Carraway wrote:
> On Mon, Nov 17, 2008 at 01:13:23PM -0800, Devin Carraway wrote:
> > > mysql-dfsg-5.0 / CVE-2008-4098
> > >   Devin, you prepared the DSA. Since the upstream release is much more recent than
> > >   Lenny and won't migrate, can you prepare an update for Lenny/testing-proposed-updates?
> 
> Proposed upload is here -- given the broad use of the package and the
> consequences of a mistake, can someone give it a look over?
> 
> http://devin.com/debian/security/mysql-dfsg-5.0_lenny.debdiff
> http://devin.com/debian/security/mysql/lenny/
> 
> > > pidgin / CVE-2008-2955, CVE-2008-2956
> > >   Patch status unclear.
> 
> I reviewed the patches; upstream claims that CVE-2008-2955 is already fixed by
> the version in Lenny; subsequent changes have improved protocol consistency
> following an attack but are not overtly security-relevant.  

Ack, commited to tracker.

> The only extant
> patch for CVE-2008-2956 was submitted by the reporter, and has not been
> accepted either by upstream or by the Debian maintainer.  Given the difficulty
> of real-world exploitation and the modest consequences thereof, I think we're
> better off letting this one be.

I've commited it as lenny no-dsa, if a patch emerges later we can fix it along
with more serious issues, if any arrive later of the time frame of the Lenny
support.

Cheers,
        Moritz



More information about the Secure-testing-team mailing list