Nelson A. de Oliveira
2008-Nov-20 13:08 UTC
[Secure-testing-team] Stable isn''t vulnerable to CVE-2008-5101
Hi! I was looking http://security-tracker.debian.net/tracker/CVE-2008-5101 and it says that the stable version of optipng is vulnerable to CVE-2008-5101. This should be fixed since the only vulnerable versions are 0.6 and 0.6.1 (stable is 0.5.5). I can forward upstream email where he says "The versions affected are 0.6 and 0.6.1; version 0.5.5 is fine." just in case you need. Best regards, Nelson -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081120/9be7c0ee/attachment.pgp
Nico Golde
2008-Nov-20 15:41 UTC
[Secure-testing-team] Stable isn''t vulnerable to CVE-2008-5101
Hi, * Nelson A. de Oliveira <naoliv at debian.org> [2008-11-20 14:29]:> I was looking http://security-tracker.debian.net/tracker/CVE-2008-5101 > and it says that the stable version of optipng is vulnerable to > CVE-2008-5101. This should be fixed since the only vulnerable versions > are 0.6 and 0.6.1 (stable is 0.5.5).This is due how the tracker works, the version is unfixed until it is marked as fixed by a version or explicitly marked as not-affected.> I can forward upstream email where he says "The versions affected are > 0.6 and 0.6.1; version 0.5.5 is fine." just in case you need.Yes please do so, so we can check that. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081120/81342cc5/attachment.pgp
Nelson A. de Oliveira
2008-Nov-20 16:17 UTC
[Secure-testing-team] Stable isn''t vulnerable to CVE-2008-5101
Hi! On Thu, 20 Nov 2008 16:41:59 +0100 Nico Golde <debian-secure-testing+ml at ngolde.de> wrote:> > I can forward upstream email where he says "The versions affected > > are 0.6 and 0.6.1; version 0.5.5 is fine." just in case you need. > > Yes please do so, so we can check that.Attached. You will see that he said exactly what I said :-) Thank you! Best regards, Nelson -------------- next part -------------- A non-text attachment was scrubbed... Name: optipng.txt.gz Type: application/x-gzip Size: 889 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081120/850aa929/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081120/850aa929/attachment.pgp
Nico Golde
2008-Nov-20 18:08 UTC
[Secure-testing-team] Stable isn''t vulnerable to CVE-2008-5101
Hi, * Nelson A. de Oliveira <naoliv at debian.org> [2008-11-20 19:01]:> On Thu, 20 Nov 2008 16:41:59 +0100 > Nico Golde <debian-secure-testing+ml at ngolde.de> wrote: > > > > I can forward upstream email where he says "The versions affected > > > are 0.6 and 0.6.1; version 0.5.5 is fine." just in case you need. > > > > Yes please do so, so we can check that. > > Attached. > You will see that he said exactly what I said :-)Can you please be a bit more specific on why "it''s fine"? Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081120/febfd109/attachment.pgp
Nelson A. de Oliveira
2008-Nov-20 18:26 UTC
[Secure-testing-team] Stable isn''t vulnerable to CVE-2008-5101
On Thu, 20 Nov 2008 19:08:42 +0100 Nico Golde <debian-secure-testing+ml at ngolde.de> wrote:> Can you please be a bit more specific on why "it''s fine"?Because the upstream author (who also found the vulnerability) of the affected package said that version 0.5.5 (available at stable) isn''t vulnerable? Best regards, Nelson -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081120/7e222d08/attachment.pgp
Nico Golde
2008-Nov-20 18:57 UTC
[Secure-testing-team] Stable isn''t vulnerable to CVE-2008-5101
Hi, * Nelson A. de Oliveira <naoliv at debian.org> [2008-11-20 19:46]:> On Thu, 20 Nov 2008 19:08:42 +0100 > Nico Golde <debian-secure-testing+ml at ngolde.de> wrote: > > Can you please be a bit more specific on why "it''s fine"? > > Because the upstream author (who also found the vulnerability) of the > affected package said that version 0.5.5 (available at stable) isn''t > vulnerable?Ok I marked this as not-affected now, what I really wanted to hear are some details about the code... Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081120/8b22eebe/attachment.pgp