Guiseppe, in the process of doing the embedded code copies triage, i''ve come across a lot of cases where tracking for kompozer is not done. i understand that this package is relatively new, but since it is derived from existing code, it should be checked retroactively for vulnerabilities. it looks like the code is copied from firefox/thunderbird 2.0.0.20 (according to ''./mozilla/browser/config/version.txt'' and other version files, but that could be wrong). i see that you are the maintainer; can you go through all of the cves affecting iceape and either tag kompozer not-affected or fixed? this would help me out a lot since you are already familiar with the package, and i have a lot of other issues to look at. thanks. mike
Michael S Gilbert ha scritto:> vulnerabilities. it looks like the code is copied from > firefox/thunderbird 2.0.0.20 (according to > ''./mozilla/browser/config/version.txt'' and other version files, but > that could be wrong).Right, but I backported all relevant security fixes.> i see that you are the maintainer; can you go through all of the cves > affecting iceape and either tag kompozer not-affected or fixed? this > would help me out a lot since you are already familiar with the > package, and i have a lot of other issues to look at. thanks.Ok, but I will not available until next Tuesday. Cheers, Giuseppe. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090902/11f1fe12/attachment.pgp>
On Tue, Sep 01, 2009 at 11:16:12PM -0400, Michael S Gilbert wrote:> Guiseppe, > > in the process of doing the embedded code copies triage, i''ve come > across a lot of cases where tracking for kompozer is not done. i > understand that this package is relatively new, but since it is derived > from existing code, it should be checked retroactively for > vulnerabilities. it looks like the code is copied from > firefox/thunderbird 2.0.0.20 (according to > ''./mozilla/browser/config/version.txt'' and other version files, but > that could be wrong). > > i see that you are the maintainer; can you go through all of the cves > affecting iceape and either tag kompozer not-affected or fixed? this > would help me out a lot since you are already familiar with the > package, and i have a lot of other issues to look at. thanks.I don''t think we''ll be covering kompozer with security support in Squeeze. Most of the issues that affect a browser are moot, since kompozer is used for creating web content, not viewing content from potentially untrusted sources. We can either track it as unimportant or remove it from CVE/list altogether. Guiseppe, you should probably include a README.Debian.security to indicate the status. Cheers, Moritz
Moritz Muehlenhoff ha scritto:> Most of the issues that affect a browser are moot, since > kompozer is used for creating web content, not viewing content from > potentially untrusted sources. We can either track it as unimportant > or remove it from CVE/list altogether.Indeed, and additionally it shares the browser engine but a lot of features are not enabled (for example javascript, and most of the latest issues referred to it).> Guiseppe, you should probably include a README.Debian.security to > indicate the status.Ok, added in my TODO list. Cheers, Giuseppe. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090903/310d88b6/attachment.pgp>