Secure testing team - Nov 2008 - Security update for Debian Testing - 2008-11-03

On Mon, Nov 03, 2008 at 02:04:55AM +0100, secure-testing-team at
lists.alioth.debian.org wrote:
> This automatic mail gives an overview over security issues that were
recently
> fixed in Debian Testing. The majority of fixed packages migrate to testing 
> from unstable. If this would take too long, fixed packages are uploaded to
the
> testing-security repository instead. It can also happen that vulnerable 
> packages are removed from Debian testing.
> 
> Migrated from unstable:
> ======================> libgadu 1:1.8.0+r592-3:
> CVE-2008-4776: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
>                http://bugs.debian.org/503916
At first glance it looks, that kadu may also be affected. It isn''t
linked to libgadu from libgadu3 package and comes with own copy of
libgadu sources (not patched). Can someone confirm that?

I won''t have time to fully verify it before Friday, so excuse me, if
it''s just a false alarm.

Jarek.

On Mon, Nov 03, 2008 at 09:22:29PM +0100, Jarek Kami?ski
wrote:
> On Mon, Nov 03, 2008 at 02:04:55AM +0100, secure-testing-team at
lists.alioth.debian.org wrote:
> > This automatic mail gives an overview over security issues that were
recently
> > fixed in Debian Testing. The majority of fixed packages migrate to
testing
> > from unstable. If this would take too long, fixed packages are
uploaded to the
> > testing-security repository instead. It can also happen that
vulnerable
> > packages are removed from Debian testing.
> > 
> > Migrated from unstable:
> > ======================> > libgadu 1:1.8.0+r592-3:
> > CVE-2008-4776:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
> >                http://bugs.debian.org/503916
> 
> At first glance it looks, that kadu may also be affected. It isn''t
> linked to libgadu from libgadu3 package and comes with own copy of
> libgadu sources (not patched). Can someone confirm that?
I guess the maintainer is the right person to ask.

-- 
Marcin Owsiany <porridge at debian.org>            
http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Hi,
* Jarek Kami??ski <jarek at vilo.eu.org> [2008-11-03
22:07]:
> On Mon, Nov 03, 2008 at 02:04:55AM +0100, secure-testing-team at
lists.alioth.debian.org wrote:
> > This automatic mail gives an overview over security issues that were
recently
> > fixed in Debian Testing. The majority of fixed packages migrate to
testing
> > from unstable. If this would take too long, fixed packages are
uploaded to the
> > testing-security repository instead. It can also happen that
vulnerable
> > packages are removed from Debian testing.
> > 
> > Migrated from unstable:
> > ======================> > libgadu 1:1.8.0+r592-3:
> > CVE-2008-4776:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
> >                http://bugs.debian.org/503916
> 
> At first glance it looks, that kadu may also be affected. It isn''t
> linked to libgadu from libgadu3 package and comes with own copy of
> libgadu sources (not patched). Can someone confirm that?
Yes confirmed, kadu is embedding libgadu completely and 
linking against this version. It has the same problem, a bug 
has been filed.

Thanks for the notice!

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081103/2e0cc154/attachment.pgp