Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070321/96587dbd/attachment.pgp
Felipe Augusto van de Wiel (faw)
2007-Mar-22 01:40 UTC
[Secure-testing-team] Re: Security issues in package ekg
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Marcin, On 03/21/2007 11:37 AM, Marcin Owsiany wrote: [...]> 2661: A memory leak in handling image messages, which may cause memory > exhaustion resulting in a DoS (ekg program crash). Exploitable by a > hostile GG user.[...]> ----------------+-------------------+---------------+----------------------------- > Dist | Contains version | Vulnerable to | Version (to be) fixed in > ----------------+-------------------+---------------+----------------------------- > UPSTREAM | 1.7-RC2 | ALL | 1.7-RC3 (already released) > sarge | 1:1.5+20050411-5 | 2661 only (*) | 1:1.5+20050411-7 > sid,etch | 1:1.7~rc2-1 | ALL | 1:1.7~rc2+1-1 > sarge-volatile | 1:1.5+20050411-6 | 2661 only (*) | 1:1.5+20050411-8 > ----------------+-------------------+---------------+----------------------------- > > (*) No GIF OCR code was in these versions, thus they are not vulnerable > > Please have a look at the attached minimal patches, I intend to apply > them to respective versions of updated packages. > > Please allocate CVEs for the 3 above issues. I will prepare new packages > once I have the CVEs.Thanks for detailed report. Probably would be good to have an ack, so, for Debian Volatile: ACK! :-)> regards, > Marcin[...] Kind regards, - -- Felipe Augusto van de Wiel (faw) "Debian. Freedom to code. Code to freedom!" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAd48CjAO0JDlykYRAqlAAKCn2HgyQHMLf3CzIdGw5ucw3Ga1jQCgvFzX xS7ymLc3JbjV6Ru7n3vnLtg=lJ38 -----END PGP SIGNATURE-----
Marcin Owsiany
2007-Mar-25 11:38 UTC
[Secure-testing-team] Re: Security issues in package ekg
Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070325/8fe38bea/attachment.pgp
Steve Langasek
2007-Mar-25 11:50 UTC
[Secure-testing-team] Re: Security issues in package ekg
On Sun, Mar 25, 2007 at 12:37:25PM +0100, Marcin Owsiany wrote:> I would like to use 1:1.7~rc2-2 and upload to unstable with > urgency=high. Then, if the release team would let this propagate to > frozen, we would have a single upload taking care of both sid and etch > (there would be no other changes - see proposed interdiff attached).> Please let me know if this is acceptable.Yes, it is. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
Marcin Owsiany
2007-Mar-26 17:53 UTC
[Secure-testing-team] Re: Security issues in package ekg
Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070326/c47fb7b3/attachment.pgp