Bug#690986: CVE-2012-5363 CVE-2012-5365

To: Jonathan Wiltshire <jmw@debian.org>, 690986@bugs.debian.org
Subject: Bug#690986: CVE-2012-5363 CVE-2012-5365
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Tue, 03 Sep 2013 14:41:26 +0100
Message-id: <[🔎] 5225E706.2060908@pyro.eu.org>
Reply-to: Steven Chamberlain <steven@pyro.eu.org>, 690986@bugs.debian.org
In-reply-to: <[🔎] 20130903111502.31999.63855@prsc.debian.net>
References: <[🔎] 20130903111502.31999.63855@prsc.debian.net>

Control: found -1 8.1+dfsg-8+squeeze4
Control: found -1 8.3-6

(Affected versions in stable and oldstable were not marked as such, so
I'm fixing that now.)

On 03/09/13 12:15, Jonathan Wiltshire wrote:
> Recently you fixed one or more security problems and as a result you closed
> this bug.
> [...] they are now on my radar for fixing in the following suites
> through point releases:

This bug was only closed due to removal of kfreebsd-8 from sid.  Maybe
this report was generated in error because affected versions were not
properly tagged?

No fix is available.  I'd like to keep the security issues 'open' until
someday a mitigation might be introduced in the upstream development
head which could be backported.

Hopefully the note on the PTS about these open issues, the bug in the
BTS, and security tracker data (e.g. via debsecan) are enough to advise
users of these two CVEs.  The issues are DoS-only and IMHO low severity
for most environments.

That said, there are some other outstanding security bugs in kfreebsd-8
we may want to address in a point release...

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Reply to:

References:
- Bug#690986: CVE-2012-5363 CVE-2012-5365
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Bug#690986: CVE-2012-5363 CVE-2012-5365
Next by Date: Processed: Re: Bug#690986: CVE-2012-5363 CVE-2012-5365
Previous by thread: Bug#690986: CVE-2012-5363 CVE-2012-5365
Next by thread: Processed: Re: Bug#690986: CVE-2012-5363 CVE-2012-5365
Index(es):
- Date
- Thread