Secure testing team - Aug 2010 - CVE-2010-2304 - #586547 - squeeze related - patch attached

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi there!

squeeze was frozen the last week as you know.
This vulnerability [1] was already solved by Gustavo Noronha in unstable,
but it''s not solved in squeeze and lenny yet.

The bug was reported by Nico Golde [1] (thanks for a very good bugreport).
The patched was distributed by upstream. [2]
More information about this CVE can be found in [3] and [4].

Attached is the debdiff that includes the patch that can be used to
solve this issue.
I''m not an official DM or DD, so please review my work expecting newbie
mistakes.

Best regards,

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586547
[2]
http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/rendering/RenderListMarker.cpp?r1=48100&r2=48099
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2304
[4] http://security-tracker.debian.org/tracker/CVE-2010-2304

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJMYjqdAAoJEBwLEnROdHjaNjUP/37i75Fx8u2gPPBC4cue29Lp
V9EioOStg7GJXgIVTlUhGl/8RyKlahCDMk3cJZTxAAvLP274Jg729DRt/ZPCOd7e
m8bS5uc6u2oUVeaPdduTbsIO2bFSMEVrzx0X7Q8phCCJEFRJEBuDaPLf+dOKukGe
G5jf3MHKgkkDZGyl5Mr4ym3PkzzqOosSomXzZF5MmPtCc9MFMhhcuoTRjC0ZkQR+
XbrAEopIAEoSPGyGbg/iz2Q/Bw+xYWpHNwzoOpHRN+/llnssP7tl/w0i+X5C0JsB
tJ0PdYr/Vy+C/1/nMaquKO7AbRp4gByq6YqOXs8pgKFfLQ85WfXuBPRtLjqzkpIV
kelEC61R1k0+Hd82X1Xq7Ej1xnceZxBa79QVN1S/34wh1aOw88rDE3utA9IOGD/q
Df4OvwGYZAyvNJuoyHtSvKNiTX+XO5aoIgCtdPRWTBWcqC2XXSOBqJUo1UvzQzxE
Xd4OsG7fdica6Bs4T8iIcPl+tV5U2VvWUl8FK5OVQZsSyzIcR4KQX8D48HxQHDsw
Au77BjOktMHkuBz5k9Z5Bfr3Vy4F8AHH0H4Hpjq7k3Y0yH9SoGfQ80BqNKYLx8p4
CgG8BJ7C6sgBK/JGn+KEi6/ACnbXpEfntH9uaB7Gt7y0ueC6Ea8MTD2tl5tipMfP
i+76i4LnqHcsiP3FQPHj
=Xv/k
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debdiff.diff
Type: text/x-patch
Size: 3110 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20100811/a831d0a2/attachment.bin>

On Wed, 11 Aug 2010 07:52:36 +0200, Jose Antonio Quevedo Mu?oz
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hi there!
> 
> squeeze was frozen the last week as you know.
> This vulnerability [1] was already solved by Gustavo Noronha in unstable,
> but it''s not solved in squeeze and lenny yet.
> 
> The bug was reported by Nico Golde [1] (thanks for a very good bugreport).
> The patched was distributed by upstream. [2]
> More information about this CVE can be found in [3] and [4].
> 
> Attached is the debdiff that includes the patch that can be used to
> solve this issue.
> I''m not an official DM or DD, so please review my work expecting
newbie
> mistakes.
thanks for working on that.  the new webkit package will automatically
transition to squeeze pretty soon, so there isn''t any need to apply the
fix manually. also, security support for the lenny webkit package is
likely to be dropped soon.  

you may want to take a look at the security tracker to find more issues
in need of assistance:
http://security-tracker.debian.org/tracker/status/release/stable

thanks again for your interest!

mike