Author: jmm-guest Date: 2009-12-07 23:16:05 +0000 (Mon, 07 Dec 2009) New Revision: 13486 Modified: data/CVE/list data/embedded-code-copies Log: freeradius uses system libltdl Modified: data/CVE/list ==================================================================--- data/CVE/list 2009-12-07 23:07:04 UTC (rev 13485) +++ data/CVE/list 2009-12-07 23:16:05 UTC (rev 13486) @@ -1128,7 +1128,6 @@ - courier-authlib <unfixed> (medium; bug #559802) - cvsnt <unfixed> (medium; bug #559803) - dico <unfixed> (medium; bug #559804) - - freeradius <unfixed> (medium; bug #559805) - ggobi <unfixed> (medium; bug #559806) - glame <unfixed> (medium; bug #559807) - gnash <unfixed> (medium; bug #559808) Modified: data/embedded-code-copies ==================================================================--- data/embedded-code-copies 2009-12-07 23:07:04 UTC (rev 13485) +++ data/embedded-code-copies 2009-12-07 23:16:05 UTC (rev 13486) @@ -1523,7 +1523,8 @@ - courier-authlib <unfixed> (embed) - cvsnt <unfixed> (embed) - dico <unfixed> (embed) - - freeradius <unfixed> (embed) + - freeradius 0.1+20010527-1 (embed) + NOTE: Earliest reference I could find from the changelog is from 27 May 2001 - ggobi <unfixed> (embed) - glame <unfixed> (embed) - gnash <unfixed> (embed)
Michael Gilbert
2009-Dec-08 15:50 UTC
[Secure-testing-team] [Secure-testing-commits] r13486 - in data: . CVE
On Mon, 7 Dec 2009 23:16:05 +0000, Moritz Muehlenhoff wrote:> Modified: data/embedded-code-copies > ==================================================================> --- data/embedded-code-copies 2009-12-07 23:07:04 UTC (rev 13485) > +++ data/embedded-code-copies 2009-12-07 23:16:05 UTC (rev 13486) > @@ -1523,7 +1523,8 @@ > - courier-authlib <unfixed> (embed) > - cvsnt <unfixed> (embed) > - dico <unfixed> (embed) > - - freeradius <unfixed> (embed) > + - freeradius 0.1+20010527-1 (embed) > + NOTE: Earliest reference I could find from the changelog is from 27 May 2001there was previous discussion that checking against changelog entries was insufficient [0]. has this direction changed? if so, i could have avoided submitting a lot of these libtool bugs by simply checking that the package depends on libltdl and has a changelog entry saying that is the case, but i don''t think that would have been considered sufficient. i am expecting maintainers to actually double-check their linking process to verify that they are not pulling in the embedded code. is that asking too much? mike
Michael Gilbert
2009-Dec-08 15:51 UTC
[Secure-testing-team] [Secure-testing-commits] r13486 - in data: . CVE
On Tue, 8 Dec 2009 10:50:23 -0500, Michael Gilbert wrote:> On Mon, 7 Dec 2009 23:16:05 +0000, Moritz Muehlenhoff wrote: > > Modified: data/embedded-code-copies > > ==================================================================> > --- data/embedded-code-copies 2009-12-07 23:07:04 UTC (rev 13485) > > +++ data/embedded-code-copies 2009-12-07 23:16:05 UTC (rev 13486) > > @@ -1523,7 +1523,8 @@ > > - courier-authlib <unfixed> (embed) > > - cvsnt <unfixed> (embed) > > - dico <unfixed> (embed) > > - - freeradius <unfixed> (embed) > > + - freeradius 0.1+20010527-1 (embed) > > + NOTE: Earliest reference I could find from the changelog is from 27 May 2001 > > there was previous discussion that checking against changelog entries > was insufficient [0]. has this direction changed? if so, i could have > avoided submitting a lot of these libtool bugs by simply checking that > the package depends on libltdl and has a changelog entry saying that is > the case, but i don''t think that would have been considered sufficient. > > i am expecting maintainers to actually double-check their linking > process to verify that they are not pulling in the embedded code. is > that asking too much?reference: [0] http://lists.alioth.debian.org/pipermail/secure-testing-team/2009-May/002394.html mike