Secure testing team - Sep 2007 - Security update for Debian Testing

This automatic mail gives an overview over security issues that were recently 
fixed in Debian Testing. The majority of fixed packages migrates to testing 
from unstable. If this would take too long, fixed packages are uploaded to the 
testing-security repository instead. It can also happen that vulnerable 
packages are removed from Debian testing.

Migrated from unstable:
======================konversation 1.0.1-4:
CVE-2007-4400: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4400
               http://bugs.debian.org/439837

tar 1.18-2:
CVE-2007-4131: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131
               http://bugs.debian.org/439335

zoph 0.7.0.2-2:
CVE-2007-3905: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3905
               http://bugs.debian.org/435711



How to update:
--------------
Make sure the line

	deb http://security.debian.org lenny/updates main contrib non-free

is present in your /etc/apt/sources.list. You can use

	aptitude update && aptitude dist-upgrade

to install the updates.


More information:
-----------------
More information about which security issues affect Debian can be found in the 
security tracker:

	http://security-tracker.debian.net/tracker/

A list of all known unfixed security issues is at

	http://security-tracker.debian.net/tracker/status/release/testing

Hi

Sorry for the late response.

On Sun, 9 Sep 2007 10:03:58 am sf at sfritsch.de wrote:
> This automatic mail gives an overview over security issues that were
> recently fixed in Debian Testing. The majority of fixed packages migrates
> to testing from unstable. If this would take too long, fixed packages are
> uploaded to the testing-security repository instead. It can also happen
> that vulnerable packages are removed from Debian testing.
I would just add a short comment here:

In case the package got removed, we encourage the admin to remove the package 
as well or take other measures.

> Migrated from unstable:
> ======================> konversation 1.0.1-4:
> CVE-2007-4400: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4400
>                http://bugs.debian.org/439837
>
> tar 1.18-2:
> CVE-2007-4131: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131
>                http://bugs.debian.org/439335
>
> zoph 0.7.0.2-2:
> CVE-2007-3905: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3905
>                http://bugs.debian.org/435711
>
>
>
> How to update:
> --------------
> Make sure the line
>
> 	deb http://security.debian.org lenny/updates main contrib non-free
I would also add the normal line for ftp.debian.org here (maybe without 
contrib and non-free). This again makes sure that the people have both in and 
get the packages fixes from migration.

I was talking to nion last night and we were unsure about the following. The 
DTSA announcements always included some nice additional information and I 
would guess that sysadmins appreciate these information in the announcement. 
Therefore, we were wondering, if we should continue sending out DTSA 
announcements for uploads to testing-security, in addition to this mail. Of 
course, if there are strong objections, we will leave it out.

Cheers
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070911/6d4674aa/attachment.pgp

Hi,
* Steffen Joeris <steffen.joeris at skolelinux.de> [2007-09-11 14:05]:
[...] 
> I was talking to nion last night and we were unsure about the following.
The
> DTSA announcements always included some nice additional information and I 
> would guess that sysadmins appreciate these information in the
announcement.
> Therefore, we were wondering, if we should continue sending out DTSA 
> announcements for uploads to testing-security, in addition to this mail. Of
> course, if there are strong objections, we will leave it out.
Not only the description is a nice-to-have but also the 
Subject line of the mail gets a big attention and stripping 
the useful information out there like which package is 
affected doesn''t look like a good idea while these summary 
mails are indead useful. Is there any way to automate DTSA 
announcements? That would be really great since there is so 
much you need to look at that could be made wrong but 
generating the mail out of an .adv file shouldn''t be a big 
deal. Do I miss something?

Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070911/ba6cfdfa/attachment.pgp

Hi,

On Tue, 11 Sep 2007, Steffen Joeris wrote:
> I would just add a short comment here:
>
> In case the package got removed, we encourage the admin to remove
> the package as well or take other measures.
This blurb is automatically added if there is a package that is 
removed:

The following issues have been "fixed" by removing the (source) 
packages from testing. This probably means that you have to manually 
uninstall the corresponding binary packages to fix the issues. It can 
also mean that the packages have been replaced, or that they have 
been temporarily removed by the release team to make transitions from 
unstable easier.

>> 	deb http://security.debian.org lenny/updates main contrib non-free
>
> I would also add the normal line for ftp.debian.org here (maybe
> without contrib and non-free). This again makes sure that the people
> have both in and get the packages fixes from migration.
I will add a note (people will have to use their own mirrors anyway).

> I was talking to nion last night and we were unsure about the 
> following. The DTSA announcements always included some nice 
> additional information and I would guess that sysadmins appreciate 
> these information in the announcement. Therefore, we were wondering, 
> if we should continue sending out DTSA announcements for uploads to 
> testing-security, in addition to this mail. Of course, if there are 
> strong objections, we will leave it out.
The problem is that DTSA announcements give the impression that the 
uploads to testing-security are more important than the fixes that 
are migrating from unstable. But this is misleading. For example, the 
krb5 fixes were very important but came via unstable. Therefore I am 
against different types of announcements.

On Tue, 11 Sep 2007, Nico Golde wrote:
> Not only the description is a nice-to-have but also the
> Subject line of the mail gets a big attention and stripping
> the useful information out there like which package is
> affected doesn''t look like a good idea while these summary
> mails are indead useful. Is there any way to automate DTSA
> announcements? That would be really great since there is so
> much you need to look at that could be made wrong but
> generating the mail out of an .adv file shouldn''t be a big
> deal. Do I miss something?
Of course the old announcements contained more information. But this 
had to be added by hand (in the .adv file) and is not available for 
all issues. If there was some publicly available source for short CVE 
summaries, I would include them.

But putting the list of packages in the subject would probably be 
posible (at least if there are only a few fixes).

Cheers,
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070911/419da678/attachment.pgp

Stefan Fritsch wrote:
> > I was talking to nion last night and we were unsure about the 
> > following. The DTSA announcements always included some nice 
> > additional information and I would guess that sysadmins appreciate 
> > these information in the announcement. Therefore, we were wondering, 
> > if we should continue sending out DTSA announcements for uploads to 
> > testing-security, in addition to this mail. Of course, if there are 
> > strong objections, we will leave it out.
> 
> The problem is that DTSA announcements give the impression that the 
> uploads to testing-security are more important than the fixes that 
> are migrating from unstable. But this is misleading. For example, the 
> krb5 fixes were very important but came via unstable. Therefore I am 
> against different types of announcements.
I agree. All crucial information can be added to the automated
mail.
> On Tue, 11 Sep 2007, Nico Golde wrote:
> > Not only the description is a nice-to-have but also the
> > Subject line of the mail gets a big attention and stripping
> > the useful information out there like which package is
> > affected doesn''t look like a good idea while these summary
> > mails are indead useful. Is there any way to automate DTSA
> > announcements? That would be really great since there is so
> > much you need to look at that could be made wrong but
> > generating the mail out of an .adv file shouldn''t be a big
> > deal. Do I miss something?
> 
> Of course the old announcements contained more information. But this 
> had to be added by hand (in the .adv file) and is not available for 
> all issues. If there was some publicly available source for short CVE 
> summaries, I would include them.
Maybe display three lines from the CVE description and cut off with
(..) if there is more. This will provide enough overview information
in most cases.

Cheers,
        Moritz