Re: Freeze Please?
On Sat, Feb 08, 2003 at 03:52:00PM +0100, Marcelo E. Magallon wrote:
> On Fri, Feb 07, 2003 at 03:30:09PM -0500, Matt Zimmerman wrote:
>
> > No, I'm saying that cluttering the BTS with hundreds of critical and
> > grave bugs that the maintainer can do nothing about is not a useful
> > thing to do.
>
> What I'm saying is:
>
> * The release manager says that people who point out that testing
> has security problems are just bitching and not doing anything
> about it
>
> * IMO the first step towards fixing that is documenting what
> problems are there
>
> * Since the BTS is already used for release coordination, it seems
> natural to me to have known security issues recorded in the BTS
This whole thing is a temporary situation because most packages are stalled
as far as entering testing, and filing a bunch of bugs and making a lot of
noise over a temporary situation is not the best approach.
> I'd hope maintainers have a bit more brains than that...
There is good reason why (for example) new packages and uploads to stable
are manually processed.
> First there are no volunteers, now there are too many.
No.
> I don't *expect* every maintainer to go thru all the trouble of making
> security uploads to testing, but I'd also expect that if the information
> is readily available and everything is in place (which it is, c.f.
> previous mails from Anthony), people would be eager to do the dirty work.
> Think BSPs.
NMUs to testing are pointless when they will be overwritten by maintainer
uploads naturally progressing from unstable.
> Define responsibly. You can't expect anyone to comply with your
> conditions if you don't even name them.
By "responsibly", I mean to make sure that it is as accurate and up to date
as possible.
Below is a historical list to get you started. For cases where multiple
packages had the same bug and multiple DSAs were released instead of one,
the DSA listed will not necessarily correspond to the particular package
named in that row. This is an artifact resultintg from the fact that I map
DSAs to particular bugs, and not to the particular packages that they
address.
+-----+-------------------+----------------------------------------------------------------+-----+
| Bug | Package | Description | DSA |
+-----+-------------------+----------------------------------------------------------------+-----+
| 50 | php3 | Multiple file upload vulnerabilities | 115 |
| 50 | php4 | Multiple file upload vulnerabilities | 115 |
| 120 | mm | insecure temp files | 137 |
| 121 | gallery | remote execution via GALLERY_BASEDIR | 138 |
| 133 | php4 | Safe Mode bypass, CRLF injection | 168 |
| 147 | busybox | xdr integer overflow | 149 |
| 176 | postgresql | multibyte conversion SQL injection, buffer overflows | 165 |
| 195 | gnome-gv | gv buffer overflow | 182 |
| 195 | kdegraphics | gv buffer overflow | 182 |
| 201 | heimdal | heimdal buffer overflows (kadmind, kdc) | 178 |
| 202 | bugzilla | bugzilla >47 groups issue | 173 |
| 204 | fetchmail | fetchmail multidrop buffer overflows, broken boundary check | 171 |
| 205 | heartbeat | heartbeat format string | 174 |
| 208 | apache | apache shared memory scoreboard writability | 188 |
| 208 | apache-perl | apache shared memory scoreboard writability | 188 |
| 209 | apache | apache ab overflows | 188 |
| 209 | apache-perl | apache ab overflows | 188 |
| 210 | apache | Cross-site scripting in error page | 195 |
| 210 | apache-perl | Cross-site scripting in error page | 195 |
| 211 | apache | insecure temporary files in htpasswd, htdigest | 187 |
| 211 | apache-perl | insecure temporary files in htpasswd, htdigest | 187 |
| 220 | libapache-mod-ssl | mod_ssl cross-site scripting | 181 |
| 221 | gtetrinet | buffer overflows in gtetrinet | 205 |
| 222 | heimdal | kadmind4 buffer overflow | 184 |
| 222 | krb5 | kadmind4 buffer overflow | 184 |
| 223 | heimdal | libroken resolver bugs | 185 |
| 223 | krb4 | libroken resolver bugs | 185 |
| 226 | courier | courier webmail can be used to read local files | 197 |
| 226 | courier-ssl | courier webmail can be used to read local files | 197 |
| 228 | log2mail | log2mail buffer overflows | 186 |
| 230 | luxman | luxman maped/gzip vulnerability | 189 |
| 232 | kdenetwork | resLISa LOGNAME buffer overflow | 193 |
| 239 | samba | samba E_md4hash overflow | 200 |
| 243 | freeswan | freeswan DoS | 201 |
| 244 | bind | BIND multiple vulnerabilities | 196 |
| 255 | canna | cannaserver irw_through overflow | 224 |
| 263 | cyrus-imapd | Cyrus login integer overflow | 215 |
| 270 | tcpdump | tcpdump BGP decoder overflow | 206 |
| 271 | wget | wget directory traversal | 209 |
| 272 | mysql-dfsg | mysql heap overflow, password length, libmysql vulnerabilities | 212 |
| 274 | cupsys | CUPS multiple vulnerabilities | 232 |
| 275 | lynx | lynx CR/LF injection | 210 |
| 275 | lynx-ssl | lynx CR/LF injection | 210 |
| 276 | fetchmail | fetchmail reply-hack overflow | 216 |
| 277 | kdeadmin | KDE shell quoting vulnerabilities | 234 |
| 277 | kdebase | KDE shell quoting vulnerabilities | 234 |
| 277 | kdegames | KDE shell quoting vulnerabilities | 234 |
| 277 | kdegraphics | KDE shell quoting vulnerabilities | 234 |
| 277 | kdelibs | KDE shell quoting vulnerabilities | 234 |
| 277 | kdemultimedia | KDE shell quoting vulnerabilities | 234 |
| 277 | kdenetwork | KDE shell quoting vulnerabilities | 234 |
| 277 | kdepim | KDE shell quoting vulnerabilities | 234 |
| 277 | kdesdk | KDE shell quoting vulnerabilities | 234 |
| 277 | kdeutils | KDE shell quoting vulnerabilities | 234 |
| 281 | cupsys | pdftops integer overflow | 222 |
| 281 | pdftohtml | pdftops integer overflow | 222 |
| 281 | xpdf | pdftops integer overflow | 222 |
| 282 | libpng | libpng png_read_filler() buffer overflow | 213 |
| 282 | libpng3 | libpng png_read_filler() buffer overflow | 213 |
| 290 | bugzilla | bugzilla cross-site scripting in quips | 218 |
| 291 | openldap2 | multiple openldap vulnerabilities | 227 |
| 297 | bugzilla | bugzilla multiple vulnerabilities | 230 |
| 298 | tomcat4 | tomcat JSP source disclosure | 225 |
| 300 | geneweb | geneweb reading arbitrary files | 223 |
| 302 | libmcrypt | libmcrypt buffer overflows | 228 |
| 309 | dhcp3 | dhcpd minires stack overflows | 231 |
| 310 | cvs | CVS double-free | 233 |
| 319 | noffle | noffle buffer overflow | 244 |
+-----+-------------------+----------------------------------------------------------------+-----+
Remember to check your document whenever a new version of one of these
packages enters testing, or a new DSA is released.
Alternatively, you can just relax until I finish building a usable
self-serve reporting system for this information. I already have the
capability to produce this particular report at any time, automatically
checking which versions of the various packages are affected by the bug, and
which versions of those packages the bug was fixed (if any), against the
packages present in stable, testing and unstable.
It is my intention to do this right, and I am not interested in a lot of
noise based on misunderstandings about the purpose and implementation of
testing.
--
- mdz
Reply to: