Author: jmm-guest Date: 2005-12-13 09:49:46 +0000 (Tue, 13 Dec 2005) New Revision: 3023 Modified: data/CVE/list Log: two new kernel issues picked from linux-kernel Modified: data/CVE/list ==================================================================--- data/CVE/list 2005-12-13 08:50:09 UTC (rev 3022) +++ data/CVE/list 2005-12-13 09:49:46 UTC (rev 3023) @@ -1,3 +1,7 @@ +CVE-2005-XXXX [Another fib_lookup DoS] + - linux-2.6 <unfixed> +CVE-2005-XXXX [DoS in i82365 driver] + - linux-2.6 <unfixed> CVE-2005-4178 [Heap overflow in Dropbear sshd] - dropbear 0.47-1 (high) CVE-2005-4164 (SQL injection vulnerability in view.php in PHP-addressbook 1.2 allows ...)
Florian Weimer
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: [Secure-testing-commits] r3023 - data/CVE
* Moritz Muehlenhoff:> +CVE-2005-XXXX [Another fib_lookup DoS] > + - linux-2.6 <unfixed> > +CVE-2005-XXXX [DoS in i82365 driver] > + - linux-2.6 <unfixed>Would it be possible to add a cross-reference in such cases, preferably to MARC, or a bug number? Otherwise, it''s hard to figure out which issue it is.
Florian Weimer
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: [Secure-testing-commits] r3023 - data/CVE
* Moritz Muehlenhoff:> Florian Weimer wrote: >> * Moritz Muehlenhoff: >> >> > +CVE-2005-XXXX [Another fib_lookup DoS] >> > + - linux-2.6 <unfixed> >> > +CVE-2005-XXXX [DoS in i82365 driver] >> > + - linux-2.6 <unfixed> >> >> Would it be possible to add a cross-reference in such cases, >> preferably to MARC, or a bug number? Otherwise, it''s hard to figure >> out which issue it is. > > The kernel is a bit special, because issues are frequent, upstream > information policy is vague and fixes need to be applied to a > plethora of Woody, Sarge and sid kernels.I''m aware of the problems. 8-] The trouble with the above two entries is that they provide so little information. Maybe you could add an URL: tag, something like this? CVE-2005-XXXX [Another fib_lookup DoS] URL: http://svn.debian.org/wsvn/kernel/patch-tracking/... URL: http://marc.theaimsgroup.com/?m=... Anything which would be helpful in identifying the issue would help. Otherwise, only you can merge it with the CVE entry when the CVE name is assigned. If this is too much work, I''m not sure if it makes sense to add these entries before a CVE is assigned.> Thus, most kernel tracking is now done in the Subversion repo of the > kernel team (in the patchtracking/ directory).That is <http://svn.debian.org/wsvn/kernel/patch-tracking/>, but I can''t find the two issues over there.
Moritz Muehlenhoff
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: [Secure-testing-commits] r3023 - data/CVE
Florian Weimer wrote:> > +CVE-2005-XXXX [Another fib_lookup DoS] > > + - linux-2.6 <unfixed> > > +CVE-2005-XXXX [DoS in i82365 driver] > > + - linux-2.6 <unfixed> > > Would it be possible to add a cross-reference in such cases, > preferably to MARC, or a bug number? Otherwise, it''s hard to figure > out which issue it is.BTW, these two specific issues can be found on linux-kernel in the current thread for the stable review process of 2.6.14.4. Cheers, Moritz
Moritz Muehlenhoff
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: [Secure-testing-commits] r3023 - data/CVE
Florian Weimer wrote:> * Moritz Muehlenhoff: > > > +CVE-2005-XXXX [Another fib_lookup DoS] > > + - linux-2.6 <unfixed> > > +CVE-2005-XXXX [DoS in i82365 driver] > > + - linux-2.6 <unfixed> > > Would it be possible to add a cross-reference in such cases, > preferably to MARC, or a bug number? Otherwise, it''s hard to figure > out which issue it is.The kernel is a bit special, because issues are frequent, upstream information policy is vague and fixes need to be applied to a plethora of Woody, Sarge and sid kernels. Thus, most kernel tracking is now done in the Subversion repo of the kernel team (in the patchtracking/ directory). I''m gatewaying the relevant bits to the secure-testing tracker, but anyone with a special interest should better subscribe to the kernel-svn-commit mailing list instead. Cheers, Moritz