I''ve created this list and added the team to it so we can have an
easier
way to talk amoung ourselves without having to CC everyone or find the
mails in the other traffic on debian-security. Hope that''s ok. This is
a
public mailing list, since we don''t have any early vulnerability
disclosure. There''s also a mailing list
secure-testing-commits@lists.alioth.debian.org that gets every commit to
the svn repository, which some might find useful.
We seem to be about done with 2004 CANs, I see only these that still
have TODO on them, and are probably some of the hard ones (mostly ones I
wimped out on actually):
CAN-2004-0813
NOTE: ide-cd SG_IO vulnerability
NOTE: should be fixed in recent 2.6 and 2.4 kernels
TODO: check
CAN-2004-0745
TODO: unsure if fixed, probably not. Mailed lha maintainer.
NOTE: GOTO says first he heard of it, is checking.
CAN-2004-0667
TODO: kernel-patch-adamantix may contain the RSBAC patch, check
CAN-2004-0658
TODO: what kernel version fixed this?
CAN-2004-0619
TODO: unchecked
CAN-2004-0576
HELP: which one is GNU radius?
TODO: unchecked
CAN-2004-0527
TODO: unchecked
CAN-2004-0496
TODO: unchecked
CAN-2004-0478
NOTE: only a Mozilla DOS
TODO: not even fixed upstream
I see that the CVE list is claimed by two of us all the way through
2003-0058, and 2004 is mostly done[1].
This is amazing progress..
And we''ve found a bunch of holes in sarge:
postgresql 7.4.6-1 needed, have 7.4.5-3 for CAN-2004-0977 [local; low]
perl (unfixed; bug #278404) for CAN-2004-0976 [local; low]
openssl (unfixed; bug #278260) for CAN-2004-0975 [local; low]
netatalk 1.6.4a-1 needed, have 1.6.4-2 for CAN-2004-0974 [local; low]
kbr5 (unfixed; bug #278271; not shipped in binary package) for CAN-2004-0971
[local; low]
arla (unfixed; bug #278273) for CAN-2004-0971 [local; low]
groff 1.18.1.1-2 needed, have 1.18.1.1-1 for CAN-2004-0969 [local; medium]
libc6 (unfixed; bug #278278) for CAN-2004-0968 [local; medium]
gs-common (unfixed; bug #278282) for CAN-2004-0967 [local; medium]
gettext 0.14.1-6 needed, have 0.14.1-5 for CAN-2004-0966 [local; medium]
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0909
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0908
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0906
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0905
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0904
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0903
mozilla-firefox 0.10.1+1.0PR needed, have 0.9.3-5 for CAN-2004-0902
apache2 2.0.53 needed, have 2.0.52-1 for CAN-2004-0885
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0746
konqueror 4:3.2.3-1.sarge.1 needed, have 4:3.2.2-1 for CAN-2004-0721
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0721
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0690
gnats 4.0-6.1 needed, have 4.0-6 for CAN-2004-0623
qla2x00-source (unfixed; bug #27870) for CAN-2004-0587
overkill 0.16-7 needed, have 0.16-6 for CAN-2004-0238
openssh (unfixed; bug #270770) for CAN-2004-0175
iptables 1.2.11-4 needed, have 1.2.11-2 for DSA-580-1
mpg123 0.59r-17 needed, have 0.59r-16 for DSA-578-1
postgresql 7.4.6-1 needed, have 7.4.5-3 for DSA-577-1
kpdf (unfixed; bug #278173) for DSA-573-1
gpdf 2.8.0-1 needed, have 2.8.0-0.1 for DSA-573-1
kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for DSA-539
This suggests what needs to be done next: Followup on getting these
fixes into unstable (if the bugs arn''t yet fixed) and into testing.
And at the same time, since checking the older CANs has found a couple
of unfixed issues, continue working back through 2003.
A few other things that could be done:
- Our CAN list stops at CAN-2004-0979, but the highest CAN yet released
is a bit higher. Tease a list of the newer CANs out of mitre''s web
site, and maybe come up with an automated way to add new ones to the
list. Same for CVEs?
- Set up some kind of web site on alioth.
Keep up the good work,
--
see shy jo
[1] Question to wart: did you mean to leave the "- " off the front of
package names whose CAN''s you''ve not fully tested, or was
that a
mistake? My script will not check these.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20041101/e7e93774/attachment.pgp