Hi There are a few security issues (list below), which are still marked as TODO in our security tracker and I would like to hear your comments. Nico has done a great job tracking several of them down and I started to have a look as well, but since there were so many in one go, it would greatly be appreciated, if you could provide us with the necessary information. Could you please point us to the version it was fixed in (if it''s already fixed) and the exact point in the code, preferrably with a patch? Cheers Steffen List of still open issues in the tracker: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5240 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5236 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081216/3a4ea4b5/attachment.pgp
Hi, * Steffen Joeris <steffen.joeris at skolelinux.de> [2008-12-16 22:35]:> There are a few security issues (list below), which are still marked as TODO > in our security tracker and I would like to hear your comments. > Nico has done a great job tracking several of them down and I started to have > a look as well, but since there were so many in one go, it would greatly be > appreciated, if you could provide us with the necessary information. > Could you please point us to the version it was fixed in (if it''s already > fixed) and the exact point in the code, preferrably with a patch?Note that we still have to validate the patches as well as some of them looked incomplete. Maybe you could give Steffen access to #xine-private on oftc as well so he can join the discussions in irc, that''s a bit faster than mailing :) Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081216/ee169f19/attachment.pgp
I demand that Nico Golde may or may not have written...> * Steffen Joeris <steffen.joeris at skolelinux.de> [2008-12-16 22:35]: >> There are a few security issues (list below), which are still marked as >> TODO in our security tracker and I would like to hear your comments. Nico >> has done a great job tracking several of them down and I started to have >> a look as well, but since there were so many in one go, it would greatly >> be appreciated, if you could provide us with the necessary information. >> Could you please point us to the version it was fixed in (if it''s already >> fixed) and the exact point in the code, preferrably with a patch?http://alioth.debian.org/~dsalt-guest/security/.private/ _crash.tar contains several problematic files which either cause problems or have caused problems. CVE_patches.tar.gz is a split-up version of the oCERT patch. It may not be correctly split up; if not, provide details and I''ll correct it. xine-lib-security-20081215.bundle is what I have locally committed. I intend to add the content of CVE_patches.tar.gz and any other relevant individual patches to that before I push the patches into the upstream repositories, get 1.1.16 released, then deal with the Debian side of things. I think that all of them, even those filed in the Debian BTS and marked as "normal" severity, should be fixed for lenny.> Note that we still have to validate the patches as well as some of them > looked incomplete. Maybe you could give Steffen access to #xine-private on > oftc as well so he can join the discussions in irc, that''s a bit faster > than mailing :)db.d.o says "white"... done. -- | Darren Salt | linux or ds at | nr. Ashington, | Toon | RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army | + RIPA NOTICE: NO CONSENT GIVEN FOR INTERCEPTION OF MESSAGE TRANSMISSION I''d like to, but I did my own thing and now I''ve got to undo it.