Joey Hess
2006-Mar-13 12:28 UTC
[Secure-testing-team] report on current state of sarge security
Over the past couple of weeks the testing security team has reviewed all CAN and CVE entries announced since the release of woody, to check which of these security holes are still present in sarge. Adding this to the earlier work to review DSAs, we now have a pretty good picture of unfixed security holes in sarge, and can be reasonably sure that there are no old forgotten security holes that never got a fix into sarge. Although it''s always possible we missed some or made mistakes, and we still have 50 or so items marked TODO or HELP. We checked about 2700 items, of these about 600 had affected Debian at some point, and 26 remain unfixed in sarge: kaffeine 0.4.3.1-3 needed, have 0.4.3-1 for CAN-2004-1034 Blocked by kde, t-p-u upload candidate. gxine (unfixed; bug #279747) for CAN-2004-1034 Was supposed to be fixed last weekend, was not, NMU candidate. fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1033 fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1032 fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1031 fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1030 Blocked by libselinux (should go in in 4 days). zip 2.30-8 needed, have 2.30-6 for CAN-2004-1010 Held out by missing hppa build. ppp 2.4.2+20040428-3 needed, have 2.4.2+20040428-2 for CAN-2004-1002 Candidate for to be forced into testing, if the diff seems sane to RMs. If not we should backport only the security fix to t-p-u. iptables 1.2.11-4 needed, have 1.2.11-2 for CAN-2004-0986 Candidate for to be forced into testing, if the diff seems sane to RMs. Changes seem minimal and necessary. mailutils 1:0.5-4 needed, have 1:0.5-3 for CAN-2004-0984 A missing mips build apparently happened 5 Nov, but was not uploaded. FTBFS on s390 due to test suite failures, which has happened before (#192962, #265490). perl 5.8.4-4 needed, have 5.8.4-3 for CAN-2004-0976 FTBFS on mipsel due to test suite failures. Note that this happened for -3 also, and yet it somehow got built and into sarge anyway. How? openssl 0.9.7e-1 needed, have 0.9.7d-5 for CAN-2004-0975 New upstream with several security fixes, needs RM review. libc6 (unfixed; bug #278278) for CAN-2004-0968 So far no response from maintainers. NMU candidate, if this wasn''t glibc.. samba 3.0.8-1 needed, have 3.0.7-2 for CAN-2004-0930 Missing alpha build from 18th. koffice 1:1.3.4-1 needed, have 1:1.3.2-1.sarge.1 for CAN-2004-0888 kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0746 konqueror 4:3.2.3-1.sarge.1 needed, have 4:3.2.2-1 for CAN-2004-0721 kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0721 kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0690 All of these are fixed in t-p-u, but blocked for well understood reasons. kernel-source-2.4.27 (unfixed; bug #280492) for CAN-2003-0465 strncpy in kernel does not pad with zeroes May not be a RC security hole. ssh (unfixed; bug #281595) for CAN-2003-0190 Limited vulneraility (information leak). apache 1.3.33-2 needed, have 1.3.31-7 for DSA-594-1 Was uploaded with wrong urgency, should have an urgent hint added. libgd1 (unfixed; bug #280134) for DSA-589-1 Unknown delay getting patch applied, NMU candidate. kpdf 4:3.3.1-1 needed, have 4:3.2.3-1.1 for DSA-573-1 kfax 4:3.3.1-1 needed, have 4:3.2.3-1.1 for DSA-573-1 kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for DSA-539 IIRC fixes for these are not in t-p-u yet. -- see shy jo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20041123/1b771f87/attachment.pgp
Martin Schulze
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: report on current state of sarge security
Steve Langasek wrote:> > perl 5.8.4-4 needed, have 5.8.4-3 for CAN-2004-0976 > > FTBFS on mipsel due to test suite failures. > > Note that this happened for -3 also, and yet it somehow got built > > and into sarge anyway. How? > > Probably a hand-build outside the autobuilders. <sigh>Looks like: ./2004/10/31/perl_5.8.4-3_mipsel.changes Good signature from "Matthias Klose <doko@debian.org>" (0x0F932C9C) Regards, Joey -- A mathematician is a machine for converting coffee into theorems. Paul Erd?s
Frank Lichtenheld
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: report on current state of sarge security
On Tue, Nov 23, 2004 at 03:15:17PM -0500, Joey Hess wrote:> Over the past couple of weeks the testing security team has reviewed all > CAN and CVE entries announced since the release of woody, to check which > of these security holes are still present in sarge. Adding this to the > earlier work to review DSAs, we now have a pretty good picture of > unfixed security holes in sarge, and can be reasonably sure that there > are no old forgotten security holes that never got a fix into sarge. Although > it''s always possible we missed some or made mistakes, and we still have 50 > or so items marked TODO or HELP. > > We checked about 2700 items, of these about 600 had affected Debian at > some point, and 26 remain unfixed in sarge:I will take care of the NMU candidates at the BSP weekend if not fixed until then. Gruesse, -- Frank Lichtenheld <djpig@debian.org> www: http://www.djpig.de/
Matthias Klose
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: report on current state of sarge security
Joey Hess writes:> perl 5.8.4-4 needed, have 5.8.4-3 for CAN-2004-0976 > FTBFS on mipsel due to test suite failures. > Note that this happened for -3 also, and yet it somehow got built > and into sarge anyway. How?I am unable to reproduce the failures in a current unstable chroot on tbm''s machine. Matthias
Steve Langasek
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: report on current state of sarge security
Updates to these: On Tue, Nov 23, 2004 at 03:15:17PM -0500, Joey Hess wrote:> gxine (unfixed; bug #279747) for CAN-2004-1034 > Was supposed to be fixed last weekend, was not, NMU candidate.This is fixed in gxine 0.4-rc1 in unstable. Held out by atk1.0 (8 of 10 days), pango1.0 (3 of 10 days, missing powerpc build).> fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1033 > fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1032 > fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1031 > fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1030 > Blocked by libselinux (should go in in 4 days).Reset by a libselinux upload, now needs 9 more days; will revisit w/ Manoj after the weekend to see if the urgency can be bumped.> zip 2.30-8 needed, have 2.30-6 for CAN-2004-1010 > Held out by missing hppa build.Made it to testing.> ppp 2.4.2+20040428-3 needed, have 2.4.2+20040428-2 for CAN-2004-1002 > Candidate for to be forced into testing, if the diff seems sane > to RMs. If not we should backport only the security fix to t-p-u.I''ve reviewed this and it looks ok to me, though it seems that the fix for 278082 actually exacerbated the problem by breaking IPX on older kernels as well. Waiting for maintainer''s response before pushing this one in.> iptables 1.2.11-4 needed, have 1.2.11-2 for CAN-2004-0986 > Candidate for to be forced into testing, if the diff seems sane > to RMs. Changes seem minimal and necessary.Done.> perl 5.8.4-4 needed, have 5.8.4-3 for CAN-2004-0976 > FTBFS on mipsel due to test suite failures. > Note that this happened for -3 also, and yet it somehow got built > and into sarge anyway. How?Probably a hand-build outside the autobuilders. <sigh>> openssl 0.9.7e-1 needed, have 0.9.7d-5 for CAN-2004-0975 > New upstream with several security fixes, needs RM review.Reviewed and approved.> samba 3.0.8-1 needed, have 3.0.7-2 for CAN-2004-0930 > Missing alpha build from 18th.Expected to go in tomorrow.> apache 1.3.33-2 needed, have 1.3.31-7 for DSA-594-1 > Was uploaded with wrong urgency, should have an urgent hint added.Urgent hint added. Thanks to all who''ve worked on this massive security review. -- Steve Langasek postmodern programmer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20041127/3ce15e0e/attachment.pgp
Bastian Blank
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: report on current state of sarge security
On Tue, Nov 23, 2004 at 03:15:17PM -0500, Joey Hess wrote:> We checked about 2700 items, of these about 600 had affected Debian at > some point, and 26 remain unfixed in sarge:You missed at least one: kernel-image-2.6.8-s390 2.6.8-3 needed, have 2.6.8-2 for CAN-2004-0887 Should arive in testing at the end of the weekend. and maybe the sources: kernel-source-2.6.8 2.6.8-10 needed for CAN-2004-0887 Bastian -- No one wants war. -- Kirk, "Errand of Mercy", stardate 3201.7 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20041127/03f7dcdd/attachment.pgp