Secure testing team - Mar 2007 - Re: [debian-audit] Re: Security audit for TorrentFlux

Hi,

On Monday 12 March 2007 10:13, Javier Fern?ndez-Sanguino Pe?a
wrote:
> On Sun, Mar 11, 2007 at 07:31:16PM -0700, Cameron Dale wrote:
> > unstable (at least, that''s how I understand it). So, all the
> > fixes for those bugs have been backported to the 2.1 version that
> > is in unstable.
>
> You *should* update the version in unstable ASAP. Freeze only
> applies to testing, *not* to unstable. The way to get securit fixes
> into testing (when frozen) is through unstable. Even though your
> package is not in testing you should make every effort to keep
> unstable security-bug-free.  Please mention all CVE names in the
> changelog fixed in your new upload (like you did for 2.1-7)
All open issues are fixed in unstable in 2.1-7, see

http://security-tracker.debian.net/tracker/source-package/torrentflux

Some more thoughts:
- when I looked through it, I found far fewer issues than I expected 
(though I still think that the code quality is very bad). However, I 
am also not a PHP expert and would not consider what I did to be a 
full audit.
- AFAIR most if not all issues were only for authenticated users, so 
maybe one could add a note that it should be only used with trusted 
users. Quake 2 was released with Sarge in this way while having lots 
of security issues. 
- in November or so I had a discussion with Micah on IRC and we agreed 
that we did not see any problems with it being released with etch. I 
didn''t notice the discussion on debian-release, though.


Cheers,
Stefan

Stefan Fritsch wrote:
> All open issues are fixed in unstable in 2.1-7, see
> 
> http://security-tracker.debian.net/tracker/source-package/torrentflux
> 
> Some more thoughts:
> - when I looked through it, I found far fewer issues than I expected 
> (though I still think that the code quality is very bad). However, I 
> am also not a PHP expert and would not consider what I did to be a 
> full audit.
> - AFAIR most if not all issues were only for authenticated users, so 
> maybe one could add a note that it should be only used with trusted 
> users. Quake 2 was released with Sarge in this way while having lots 
> of security issues. 
> - in November or so I had a discussion with Micah on IRC and we agreed 
> that we did not see any problems with it being released with etch. I 
> didn''t notice the discussion on debian-release, though.
Is there any chance of getting an audit done for this package? As Stefan
mentioned, there are no open security issues in unstable and the package
seems safe. I''m not sure if it''s too late to get this into
Etch,
considering the recent announcement about the new release timeline. Anyone?

Thanks,
Cameron


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070314/0c081c5e/signature.pgp

On Wed, Mar 14, 2007 at 01:31:27PM -0700, Cameron Dale
wrote:
> Is there any chance of getting an audit done for this package? As Stefan
> mentioned, there are no open security issues in unstable and the package
> seems safe. I''m not sure if it''s too late to get this
into Etch,
> considering the recent announcement about the new release timeline. Anyone?
It''s too late to get it into etch. In any case, an audit for this
package is
still possible. I cannot commit to it until after the release, but if no one
steps up, I could take care of it.

Regards

Javier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070314/b0127817/attachment.pgp