Author: dom Date: 2007-12-07 16:17:48 +0000 (Fri, 07 Dec 2007) New Revision: 7545 Modified: data/CVE/list Log: Details for e2fsprogs Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-12-07 13:45:28 UTC (rev 7544) +++ data/CVE/list 2007-12-07 16:17:48 UTC (rev 7545) @@ -2426,8 +2426,9 @@ REJECTED CVE-2007-5498 RESERVED -CVE-2007-5497 - RESERVED +CVE-2007-5497 (Multiple integer overflows in libext2fs in e2fsprogs ...) + - e2fsprogs 1.37-2sarge1 + - e2fsprogs 1.39+1.40-WIP-2006.11.14+dfsg-2 CVE-2007-5496 RESERVED CVE-2007-5495
Hi, * dom at alioth.debian.org <dom at alioth.debian.org> [2007-12-07 17:20]:> Author: dom > Date: 2007-12-07 16:17:48 +0000 (Fri, 07 Dec 2007) > New Revision: 7545[...]> -CVE-2007-5497 > - RESERVED > +CVE-2007-5497 (Multiple integer overflows in libext2fs in e2fsprogs ...) > + - e2fsprogs 1.37-2sarge1Please read the narrative_introduction before commiting to the svn, please. sarge entries need a sarge tag.> + - e2fsprogs 1.39+1.40-WIP-2006.11.14+dfsg-2Where did you get this information from? From what I can see the fix by Novell (namely e2fsprogs-VUL0_integer_overflow.patch from what I can see) is not fixed in unstable. Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20071207/42418c2c/attachment.pgp
On Fri, Dec 07, 2007 at 05:35:06PM +0100, Nico Golde wrote:> Hi, > * dom at alioth.debian.org <dom at alioth.debian.org> [2007-12-07 17:20]: > > Author: dom > > Date: 2007-12-07 16:17:48 +0000 (Fri, 07 Dec 2007) > > New Revision: 7545 > [...] > > -CVE-2007-5497 > > - RESERVED > > +CVE-2007-5497 (Multiple integer overflows in libext2fs in e2fsprogs ...) > > + - e2fsprogs 1.37-2sarge1 > > Please read the narrative_introduction before commiting to > the svn, please. sarge entries need a sarge tag.D''oh, apologies. Missed that point. I think a lot''s changed since I last committed.> > + - e2fsprogs 1.39+1.40-WIP-2006.11.14+dfsg-2 > > Where did you get this information from? > From what I can see the fix by Novell (namely > e2fsprogs-VUL0_integer_overflow.patch from what I can see) > is not fixed in unstable.Oh dear, that was supposed to indicated that the package was vulnerable, but that''s duplicating information from the DSA data in any case. so, how about: [sarge] - e2fsprogs <unfixed> - e2fsprogs <unfixed> As the two lines for this? Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Hi Dominic, * Dominic Hargreaves <dom at earth.li> [2007-12-07 17:59]:> On Fri, Dec 07, 2007 at 05:35:06PM +0100, Nico Golde wrote:[...]> > Please read the narrative_introduction before commiting to > > the svn, please. sarge entries need a sarge tag. > > D''oh, apologies. Missed that point. I think a lot''s changed since I > last committed.Just have a look into doc/narrative_introduction, this should help you. Feel free to ask for any unanswered questions.> > > + - e2fsprogs 1.39+1.40-WIP-2006.11.14+dfsg-2 > > > > Where did you get this information from? > > From what I can see the fix by Novell (namely > > e2fsprogs-VUL0_integer_overflow.patch from what I can see) > > is not fixed in unstable. > > Oh dear, that was supposed to indicated that the package was vulnerable,The tracker tracks if the versions in the distributions are lower than the one which is marked as fixed so this does not work, there is no fixed version yet (apart from etch).> but that''s duplicating information from the DSA data in any case. > so, how about: > > [sarge] - e2fsprogs <unfixed> > - e2fsprogs <unfixed> > > As the two lines for this?Have a look at my commit, this added this item for unstable. It will be automatically marked as fixed for etch by the auto-update from joey because there is an entry in DSA/list for this. Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20071207/b5766a8f/attachment-0001.pgp