Secure testing team - Nov 2008 - Lenny security bug sprint

Hi,
I went through all the open Lenny security issues and commented on them
briefly. If everyone picks two and fixes them (or brings the respective
maintainter into fixing them :-), we''ll have a lot less work post
release.

Cheers,
        Moritz

dia / #504251
  Unfixed, no maintainer reaction, patch available

dovecot / CVE-2008-4578
  Upstream patch for 1.1 in #502967, needs backport. The issue itself
  looks harmless, might be suitable for no-dsa for Lenny

egroupware / CVE-2007-3215
  Should be fixed by using the system wide libphp-mailer, #504283,
  I remember vaguely that the phpmailer issue is only exploitable
  if certain preconditions are met, it should be checked, whether these
  really apply to egroupware.

liquidsoap / CVE-2008-4965
  Fixed in a DTSA, but doesn''t seem to have reached Lenny yet?

glibc / CVE-2008-1447
  Florian, do you know the status of a hardened resolver?

movabletype-opensource / CVE-2008-4634
  Upstream says that more issues are coming, no reaction from upstream since 8
Nov 2008
  Patch for XSS issue is extracted

mysql-dfsg-5.0 / CVE-2008-4098
  Devin, you prepared the DSA. Since the upstream release is much more recent
than
  Lenny and won''t migrate, can you prepare an update for
Lenny/testing-proposed-updates?

ffmpeg-debian / CVE-2008-4869
  It''s a bit silly to single out a few security problems, since ffmpeg
  issues aren''t systematically tracked. Maintainer has prepared patches
for
  this.

ktorrent / #504178
  The ktorrent2.2 package was fixed already, prodded maintainer .

opendb / CVE-2008-4796
  Filed for removal, #505728. Make sure it''s removed before Lenny
release.

linux-2.6 / CVE-2007-6514
  This one needs retesting with current kernels.

linux-2.6 / CVE-2008-4933, CVE-2008-4934, CVE-2008-5025,CVE-2008-5029
  Patches are available upstream, should be merged into the next -11 upload.

mplayer / CVE-2007-6718
  The infinite loop is harmless, the other two open issues should be checked
  in more depth, but the appear as regular bugs rather than security issues.

mplayer / CVE-2008-4610
  The ogm file is handled gracefully, the aac file crashes mplayer, but needs
  some checking, whether it''s really a security problem.

nagios3 / CVE-2008-5028
  The maintainer is working on an update.

openldap / #253838 
  Needs more prodding.

php5 / CVE-2008-4107
  php-suhosin provides proper randomisation, but this needs more visible
documentation.
  Maybe the release notes or the existing README.Debian.security?

pidgin / CVE-2008-2955, CVE-2008-2956
  Patch status unclear.

python2.[45] / CVE-2008-4864
  2.5 fixed in unstable, 2.4 missing.

qemu / CVE-2008-0928
  Patches break existing images.

qemu / CVE-2008-4539
  Fixed in experimental, unstable still needed.

redhat-cluster CVE-2008-4192 / CVE-2008-4579 / CVE-2008-4580
  Fixed in unstable, need lenny backports

ruby1.9 / CVE-2008-3443
  This one''s unclear. This needs to be reproduced with the milw0rm
  POC and checked with upstream (other Ruby regex issues were recently
  fixed).

ruby1.9 / CVE-2008-3905
  Maybe this is already fixed and was only forgotten in the changelog,
  needs further checks or contacting the maintainer.

smarty CVE-2008-4810 / CVE-2008-4811
  I''m not sure about the exact status.

tor / #505178
  Fixed in experimental, Peter will fix it for Lenny with an upcoming point
  release.

xemacs21 / CVE-2008-2142
  xemacs seems fairly unmaintained, so this likely needs a NMU.

xen-3 /CVE-2008-4993, CVE-2008-2004, CVE-2008-4405
  Patches can be picked from Red Hat, since they''ve already released
updates.

xine-lib #498243
  No upstream patches, but the descriptions in the advisory are fairly verbose.

universalindentgui (#504726)
  Patch available in the bug, but package and the patch need further cleanups.
It might
  also be an option to drop it from Lenny and let it mature more for Squeeze.

wordpress (504771)
  No patch yet.

Unclear older Mozilla issues, the ones w/o references to Mozilla bug entries
should be sent to security at mozilla.org for status/clarification:

xulrunner              CVE-2007-3144, CVE-2007-3827
iceape                 CVE-2007-1084, CVE-2007-3144, CVE-2007-3827
icedove                CVE-2008-0419
iceweasel              CVE-2007-1084, CVE-2007-1970, CVE-2007-3144,
CVE-2007-3827, CVE-2008-0367, CVE-2008-2419

> ruby1.9 / CVE-2008-3443
>   This one''s unclear. This needs to be reproduced with the milw0rm
>   POC and checked with upstream (other Ruby regex issues were recently
>   fixed).
> 
> ruby1.9 / CVE-2008-3905
>   Maybe this is already fixed and was only forgotten in the changelog,
>   needs further checks or contacting the maintainer.
I''ll look into these two.

Cheers,
        Moritz

On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff
wrote:
> I went through all the open Lenny security issues and commented on them
> briefly. If everyone picks two and fixes them (or brings the respective
> maintainter into fixing them :-), we''ll have a lot less work post
release.
> movabletype-opensource / CVE-2008-4634
>   Upstream says that more issues are coming, no reaction from upstream
since 8 Nov 2008
>   Patch for XSS issue is extracted
I''ll revisit this this week.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

On Mon, November 17, 2008 06:55, Moritz Muehlenhoff
wrote:
> dia / #504251
>  Unfixed, no maintainer reaction, patch available
NMU''d meanwhile, asked for unblock
> egroupware / CVE-2007-3215 Should be fixed by using the system wide
> libphp-mailer, #504283, I remember vaguely that the phpmailer issue is
> only exploitable if certain preconditions are met, it should be checked,
> whether these really apply to egroupware.
Not affected. marked as such but left bug so the embedded copy will be
replaced.
> liquidsoap / CVE-2008-4965
>   Fixed in a DTSA, but doesn''t seem to have reached Lenny yet?
Asked release team.


cheers,
Thijs

Hi,
thanks for building this list!
* Moritz Muehlenhoff <jmm at inutil.org> [2008-11-17 09:18]:
[...] 
> mplayer / CVE-2007-6718
>   The infinite loop is harmless, the other two open issues should be
checked
>   in more depth, but the appear as regular bugs rather than security
issues.
> 
> mplayer / CVE-2008-4610
>   The ogm file is handled gracefully, the aac file crashes mplayer, but
needs
>   some checking, whether it''s really a security problem.
I''m fairly busy with university stuff in the next days, I''ll 
have a look at these until the end of the week.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081117/f6ffc24a/attachment.pgp

On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff
wrote:
> Hi,
> I went through all the open Lenny security issues and commented on them
> briefly. If everyone picks two and fixes them (or brings the respective
> maintainter into fixing them :-), we''ll have a lot less work post
release.
> 
> Cheers,
>         Moritz
> 
> 
[...]
> 
> linux-2.6 / CVE-2008-4933, CVE-2008-4934, CVE-2008-5025,CVE-2008-5029
>   Patches are available upstream, should be merged into the next -11
upload.
All committed for upcoming 2.6.26-11

-- 
dann frazier

On Monday 17 November 2008, Moritz Muehlenhoff wrote:
> redhat-cluster CVE-2008-4192 / CVE-2008-4579 / CVE-2008-4580
> ? Fixed in unstable, need lenny backports
I will look at this one.

On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff
wrote:
> mysql-dfsg-5.0 / CVE-2008-4098
>   Devin, you prepared the DSA. Since the upstream release is much more
recent than
>   Lenny and won''t migrate, can you prepare an update for
Lenny/testing-proposed-updates?
Sure.

> pidgin / CVE-2008-2955, CVE-2008-2956
>   Patch status unclear.
I''ll check into it.



-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081117/e22f4427/attachment.pgp

Moritz Muehlenhoff wrote:
> 
> php5 / CVE-2008-4107
>   php-suhosin provides proper randomisation, but this needs more visible
>   documentation. Maybe the release notes or the existing
>   README.Debian.security?
Well, since the mt_/rand functions are nowhere documented as strong for
cryptographic pourposes I don''t consider it a bug, but a missing
enhancement.

Not to mention that most of its side effects were made worst because of the poor
seeding of the PRNG via mt_/srand.
> smarty CVE-2008-4810 / CVE-2008-4811
>   I''m not sure about the exact status.
> 
-4810 is about the original bug, -4811 is about the incomplete fix for all the
attack vectors. Haven''t heard from upstream about -4811
> 
> wordpress (504771)
>   No patch yet.
The maintainer prepared a new version, which is waiting for somebody to sponsor
it, adding yet another cookies-checking routine which denies the user to browse
anything until some dangerous cookies are deleted.

PS. I just found a XSS vuln in phpCAS which is embedded in a couple of packages
and is now an ITP. Does anyone know about a phpCAS installation where I could
test my findings as to provide more precise information?

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

On Mon, Nov 17, 2008 at 03:17:12PM -0600, Raphael Geissert
wrote:
> Moritz Muehlenhoff wrote:
> > 
> > php5 / CVE-2008-4107
> >   php-suhosin provides proper randomisation, but this needs more
visible
> >   documentation. Maybe the release notes or the existing
> >   README.Debian.security?
> 
> Well, since the mt_/rand functions are nowhere documented as strong for
> cryptographic pourposes I don''t consider it a bug, but a missing
enhancement.
Please update the Security Tracker entry, then.
 
Cheers,
        Moritz

On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff
wrote:
> Hi,
> I went through all the open Lenny security issues and commented on them
> briefly. 
Updated status below:

dovecot / CVE-2008-4578
  Upstream patch for 1.1 in #502967, needs backport. The issue itself
  looks harmless, might be suitable for no-dsa for Lenny

liquidsoap / CVE-2008-4965
  Fixed in a DTSA, but doesn''t seem to have reached Lenny yet?
  Currenly waiting for hppa build

glibc / CVE-2008-1447
  Florian, do you know the status of a hardened resolver?

movabletype-opensource / CVE-2008-4634 (Dominic)
  Upstream says that more issues are coming, no reaction from upstream since 8
Nov 2008
  Patch for XSS issue is extracted. Dominic will revisit this week.

mysql-dfsg-5.0 / CVE-2008-4098 (Devin)
  Devin, you prepared the DSA. Since the upstream release is much more recent
than
  Lenny and won''t migrate, can you prepare an update for
Lenny/testing-proposed-updates?

ffmpeg-debian / CVE-2008-4869
  It''s a bit silly to single out a few security problems, since ffmpeg
  issues aren''t systematically tracked. Maintainer has prepared patches
for
  this.

opendb / CVE-2008-4796
  Filed for removal, #505728. Make sure it''s removed before Lenny
release.

linux-2.6 / CVE-2007-6514
  This one needs retesting with current kernels.

mplayer / CVE-2007-6718 (Nico)
  The infinite loop is harmless, the other two open issues should be checked
  in more depth, but the appear as regular bugs rather than security issues.

mplayer / CVE-2008-4610 (Nico)
  The ogm file is handled gracefully, the aac file crashes mplayer, but needs
  some checking, whether it''s really a security problem.

nagios3 / CVE-2008-5028
  The maintainer is working on an update.

openldap / #253838
  Needs more prodding.

pidgin / CVE-2008-2955, CVE-2008-2956 (Devin)
  Patch status unclear.

python2.[45] / CVE-2008-4864
  2.5 fixed in unstable, 2.4 missing.

qemu / CVE-2008-0928
  Patches break existing images.

qemu / CVE-2008-4539
  Fixed in experimental, unstable still needed.

redhat-cluster CVE-2008-4192 / CVE-2008-4579 / CVE-2008-4580 (Stefan)
  Fixed in unstable, need lenny backports

ruby1.9 / CVE-2008-3443 (Moritz)
  This one''s unclear. Code in 1.9 is very different from 1.8. Upstream
  has been contacted to clarify.

smarty CVE-2008-4810 / CVE-2008-4811
  -4810 is about the original bug, -4811 is about the incomplete fix for all the
  attack vectors. Raphael hasn''t heard from upstream about -4811

tor / #505178
  Fixed in experimental, Peter will fix it for Lenny with an upcoming point
  release.

xemacs21 / CVE-2008-2142
  xemacs seems fairly unmaintained, so this likely needs a NMU.

xen-3 /CVE-2008-4993, CVE-2008-2004, CVE-2008-4405
  Patches can be picked from Red Hat, since they''ve already released
updates.

xine-lib #498243
  No upstream patches, but the descriptions in the advisory are fairly verbose.

universalindentgui (#504726)
  Patch available in the bug, but package and the patch need further cleanups.
It might
  also be an option to drop it from Lenny and let it mature more for Squeeze.

wordpress (504771)
  Needs a sponsored upload.

Unclear older Mozilla issues, the ones w/o references to Mozilla bug entries
should be sent to security at mozilla.org for status/clarification: (Moritz)

xulrunner              CVE-2007-3144, CVE-2007-3827
iceape                 CVE-2007-1084, CVE-2007-3144, CVE-2007-3827
icedove                CVE-2008-0419
iceweasel              CVE-2007-1084, CVE-2007-1970, CVE-2007-3144,
CVE-2007-3827, CVE-2008-0367, CVE-2008-2419

* Moritz Muehlenhoff <jmm at inutil.org> [2008-11-18
00:46]:
> On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff wrote:
[...] 
> movabletype-opensource / CVE-2008-4634 (Dominic)
>   Upstream says that more issues are coming, no reaction from upstream
since 8 Nov 2008
>   Patch for XSS issue is extracted. Dominic will revisit this week.
Fixed in unstable, I''ll take care it gets unblocked.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081118/8985505e/attachment.pgp

On Mon, Nov 17, 2008 at 01:13:23PM -0800, Devin Carraway
wrote:
> > mysql-dfsg-5.0 / CVE-2008-4098
> >   Devin, you prepared the DSA. Since the upstream release is much more
recent than
> >   Lenny and won''t migrate, can you prepare an update for
Lenny/testing-proposed-updates?
Proposed upload is here -- given the broad use of the package and the
consequences of a mistake, can someone give it a look over?

http://devin.com/debian/security/mysql-dfsg-5.0_lenny.debdiff
http://devin.com/debian/security/mysql/lenny/
> > pidgin / CVE-2008-2955, CVE-2008-2956
> >   Patch status unclear.
I reviewed the patches; upstream claims that CVE-2008-2955 is already fixed by
the version in Lenny; subsequent changes have improved protocol consistency
following an attack but are not overtly security-relevant.  The only extant
patch for CVE-2008-2956 was submitted by the reporter, and has not been
accepted either by upstream or by the Debian maintainer.  Given the difficulty
of real-world exploitation and the modest consequences thereof, I think
we''re
better off letting this one be.


-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081126/4383700e/attachment.pgp

On Tue, Nov 18, 2008 at 12:39:36AM +0100, Moritz Muehlenhoff
wrote:
> On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff wrote:
> > Hi,
> > I went through all the open Lenny security issues and commented on
them
> > briefly. 
 
Updated status below:

cups / CVE-2008-5183
  Status needs checking

dovecot / CVE-2008-4578
  Upstream patch for 1.1 in #502967, needs backport. The issue itself
  looks harmless, might be suitable for no-dsa for Lenny

ffmpeg-debian / CVE-2008-4869
  It''s a bit silly to single out a few security problems, since ffmpeg
  issues aren''t systematically tracked. Maintainer has prepared patches
for
  this, but no further reaction so far.

flamethrower / CVE-2008-5141
  Dann has already prepared an update, but it''s not been uploaded yet.

geshi / CVE-2008-5185
  No maintainer reaction so far, pinged.

iceape / many
  Fixed in unstable, but the stable maintenance is still not sorted out

icedove / many
  No fix uploaded yet.

linux-2.6 / CVE-2007-6514
  This one needs retesting with current kernels.

ltp / CVE-2008-4969, CVE-2008-5145
  Documented as insecure, but not properly applied yet

mailscanner / CVE-2008-5140 and more mentioned in the Debian bug
  No fix yet.

mplayer / CVE-2007-6718 (Nico)
  The infinite loop is harmless, the other two open issues should be checked
  in more depth, but the appear as regular bugs rather than security issues.

mplayer / CVE-2008-4610 (Nico)
  The ogm file is handled gracefully, the aac file crashes mplayer, but needs
  some checking, whether it''s really a security problem.

msp-webserver / CVE-2008-5160
  Appears to have many quality issues, pushed for removal

mysql-dfsg-5.0 / CVE-2008-4098 (Devin)
  Devin prepared an update for testing-proposed-updates, acked by RMs.

nagios3 / CVE-2008-5028
  Maintainer wanted to have had it ready by last friday, needs prodding. 

openldap / #253838 
  Upstream fixed it, still needs upload

p3nfs / CVE-2008-5154
  Unfixed, no maintainer reaction

pidgin / CVE-2008-2955, CVE-2008-2956 (Devin)
  Patch status unclear.

qemu / CVE-2008-0928
  Patches break existing images.

qemu / CVE-2008-4539
  Fixed in experimental, unstable still needed.

quassel / #506550
  Maintainer apparently has an update ready, but needs a sponsor.

redhat-cluster CVE-2008-4192 / CVE-2008-4579 / CVE-2008-4580 (Stefan)
  Fixed in unstable, needs lenny backports

ruby1.9 / CVE-2008-3443 (Moritz)
  Patch received from upstream, maintainers are preparing an update.

smarty CVE-2008-4810 / CVE-2008-4811
  -4810 is about the original bug, -4811 is about the incomplete fix for all the
  attack vectors. Raphael will ask on oss list.

smsclient / CVE-2008-5155
  Patch available, but no maintainer reaction since september 2008

tkman / CVE-2008-5137
  Unfixed

verlihub / #506530
  Unfixed, no maintainer reaction, obscure fringe package

wireshark / #506741
  Unfixed, minor issue

xemacs21 / CVE-2008-2142
  xemacs seems fairly unmaintained, so this likely needs a NMU.

xen-3 /CVE-2008-4993, CVE-2008-2004, CVE-2008-4405
  Patches can be picked from Red Hat, since they''ve already released
updates.

xine-lib #498243
  Thomas Viehmann was working on patches, is working with Darren Salt,
  who''s both the maintainer and upstream


Unclear older Mozilla issues, the ones w/o references to Mozilla bug entries
should be sent to security at mozilla.org for status/clarification: (Moritz)

xulrunner              CVE-2007-3144, CVE-2007-3827
iceape                 CVE-2007-1084, CVE-2007-3144, CVE-2007-3827
icedove                CVE-2008-0419
iceweasel              CVE-2007-1084, CVE-2007-1970, CVE-2007-3144,
CVE-2007-3827, CVE-2008-0367, CVE-2008-2419

On Wed, Nov 26, 2008 at 12:50:19AM -0800, Devin Carraway
wrote:
> On Mon, Nov 17, 2008 at 01:13:23PM -0800, Devin Carraway wrote:
> > > mysql-dfsg-5.0 / CVE-2008-4098
> > >   Devin, you prepared the DSA. Since the upstream release is much
more recent than
> > >   Lenny and won''t migrate, can you prepare an update for
Lenny/testing-proposed-updates?
> 
> Proposed upload is here -- given the broad use of the package and the
> consequences of a mistake, can someone give it a look over?
> 
> http://devin.com/debian/security/mysql-dfsg-5.0_lenny.debdiff
> http://devin.com/debian/security/mysql/lenny/
> 
> > > pidgin / CVE-2008-2955, CVE-2008-2956
> > >   Patch status unclear.
> 
> I reviewed the patches; upstream claims that CVE-2008-2955 is already fixed
by
> the version in Lenny; subsequent changes have improved protocol consistency
> following an attack but are not overtly security-relevant.  
Ack, commited to tracker.
> The only extant
> patch for CVE-2008-2956 was submitted by the reporter, and has not been
> accepted either by upstream or by the Debian maintainer.  Given the
difficulty
> of real-world exploitation and the modest consequences thereof, I think
we''re
> better off letting this one be.
I''ve commited it as lenny no-dsa, if a patch emerges later we can fix
it along
with more serious issues, if any arrive later of the time frame of the Lenny
support.

Cheers,
        Moritz

Hi,
* Moritz Muehlenhoff <jmm at inutil.org> [2008-11-28
20:51]:
> On Tue, Nov 18, 2008 at 12:39:36AM +0100, Moritz Muehlenhoff wrote:
> > On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff wrote:
[...] 
> geshi / CVE-2008-5185
>   No maintainer reaction so far, pinged.
I tracked this issue down, my result is on:
http://marc.info/?l=oss-security&m=122718277121421&w=2

This + the other patch providing the PARANOID mode should 
be enough to fix this issue. Romain is aware of this and 
from what I know working on an update but was busy for the 
last weekend.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081128/d1d39c08/attachment.pgp

Moritz Muehlenhoff wrote:
>  
> Updated status below:
> 
> cups / CVE-2008-5183
>   Status needs checking
> 
Will prod the maintainer
> 
> flamethrower / CVE-2008-5141
>   Dann has already prepared an update, but it''s not been uploaded
yet.
> 
Already Ok''ed by RT
> 
> mailscanner / CVE-2008-5140 and more mentioned in the Debian bug
>   No fix yet.
> 
Just requested a new CVE id, or the update of the current one with the extra
issues.
> 
> msp-webserver / CVE-2008-5160
>   Appears to have many quality issues, pushed for removal
> 
dato wants to wait a bit before removing
> 
> nagios3 / CVE-2008-5028
>   Maintainer wanted to have had it ready by last friday, needs prodding.
> 
Maintainer sent mail to -release asking for approval of new upstream version
properly fixing the bug.
> 
> smarty CVE-2008-4810 / CVE-2008-4811
>   -4810 is about the original bug, -4811 is about the incomplete fix for
all
>   the attack vectors. Raphael will ask on oss list.
> 
am I?
will see who needs to be prodded, but I don''t think it will be on oss
list.

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

On Fri, 28 Nov 2008, Moritz Muehlenhoff wrote:
> Updated status below:
> redhat-cluster CVE-2008-4192 / CVE-2008-4579 / CVE-2008-4580 (Stefan)
>  Fixed in unstable, needs lenny backports
uploaded to t-p-u

On Fri, 28 Nov 2008 08:23:25 pm Moritz Muehlenhoff
wrote:
> On Tue, Nov 18, 2008 at 12:39:36AM +0100, Moritz Muehlenhoff wrote:
> > On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff wrote:
> > > Hi,
> > > I went through all the open Lenny security issues and commented
on them
> > > briefly.
>
> Updated status below:
[...]
> smsclient / CVE-2008-5155
>   Patch available, but no maintainer reaction since september 2008
Unimportant as it is only an example script.

Cheers
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081129/a2889c99/attachment.pgp

Hi,
* Moritz Muehlenhoff <jmm at inutil.org> [2008-11-28
20:51]:
> mplayer / CVE-2008-4610 (Nico)
>   The ogm file is handled gracefully, the aac file crashes mplayer, but
needs
>   some checking, whether it''s really a security problem.
the aac issue has been resolved and the ogm issue was 
tracked down to ffmpeg, bug with patch filed.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/e425df0d/attachment.pgp