[ note: Reply-To: set to debian-devel ] This is a quick summary of the Debian Testing Security Team[1] work and a request for some aid to help sort out some difficult Sarge security problems. Contents of this message: What the Testing Security Team has been up to How can I leverage my powerful brain to aid you? Let the games begin! This is fun, how else can I help? Background information ---------------------- The first thing the Debian Testing Security Team did was to check all security holes since the release of Debian 3.0 to ensure that all the holes are fixed in Sarge. Now that this has finished, we are busy checking to make sure that security problems that have already been fixed in unstable as well as stable do not continue to affect testing. We are also dealing with new holes as they are made known. Every day we get an updated list of Mitre's comprehensive list of known security problems, known affectionatly as CAN numbers[2]. We've been going through old CANs as well as the newly released CANs and check changelogs, advisories, test proof-of-conecpts, dig out patches from other vendor's kernels, whatever is needed to confidently determine whether sarge is vulnerable to the particular CAN or not. We then record our findings, file bugs, write patches, do NMUs as necessary, track fixed packages and work with the Debian Release Managers to make sure fixes reach testing quickly. The result of this is the Testing Security issues page[2] which shows how many holes are unfixed (that we know of) in testing as well as the associated bugs and debian package versions required to plug the hole. In addition to this, it also indicates how many unprocessed TODO items are still remaining for us to process.[4] How can I leverage my powerful brain to aid you? ------------------------------------------------ I'm glad you asked! Your brain is much bigger than our individual brains, so we need the collective help of everyone to brainstorm solutions to some difficult remaining CANs. Our goal is to reduce our TODO count to zero, but we need your help. There are a few CANs that are pretty vague in their broad applicability, they potentially cover a number of packages and we need help figuring out which packages those would be. Bonus points if you can tell us if the package is affected by its associated CAN, extra bonus points if you tell us the bug number that you filed to alert the package maintainer of the security hole, tagged it security and added a patch. So without further ado, here they are, if you have any information that can help us, please follow-up to debian-devel. Let the games begin! -------------------- 1. What packages contain X.400 (CAN-2003-0565)[5]? 2. What packages contain S/MIME besides mozilla, because the current version (mozilla 2:1.7.3) contains safe NSS 3.9.1 (CAN-2003-0564)[6]? 3. What packages modify JPEG images (CAN-2005-0406)[7]? Please limit your answers to those packages that do not modify the EXIF thumbnail, we dont need to hear "imagemagick" or "the gimp." If you use this jpg[8] whose thumbnail contains a green swirl instead of the red one you can test this. Basically if the file is loaded into a program doing the right thing (e.g. gimp) and saved again, the swirl in the thumbnail turns red. If a program is doing the wrong thing (e.g. convert[9]), the thumbnail stays green. convert exiftest.jpg -draw "rectangle 0,0 300,300 fill black" out.jpg will draw a black rectangle over the swirl, but the thumbnail in out.jpg still has the green swirl. 4. What packages contain libtiff code (besides libtiff4 3.6.1-4 which is not affected due to DSA-617-1)? (CAN-2004-1308)[10]? 5. What ftp programs are affected by directory traversal vulnerabilities (CAN-2002-1345)[11]? 6. What packages in Debian are SMTP mailscanners that can be potentially bypassed by fragmenting messages (CAN-2002-1121)[12]. 7. Is our xpdf vulnerable to CAN-2005-0206[13]? This is fun, how else can I help? --------------------------------- Glad you asked! Any with a interest in participating are welcome to join the team, Debian Developers and others with the skills and desire to help. The team can be contacted through its mailing list[14]. There is a second mailing list[15] that receives commit messages to our repository. An alioth project page[1] is also available. Have a read of this message[16] if you are interested in participating, the details are there about how to start helping check CANs on a regular basis. What do I win? huh? Huh?! ------------------------- You get a little sticker that says: "I donated to Sarge today!" [swirl here] Ok, not really, but you do get our gratitude, these are annoying and difficult. Thanks. [1] http://secure-testing.alioth.debian.org/ [2] http://cve.mitre.org/cve/candidates/downloads/full-can.html [3] http://merkel.debian.org/~joeyh/testing-security.html [4] An alternate page tracks archive changes more quickly, but may be inaccurate due to bugs in madison on newraff is here: http://newraff.debian.org/~joeyh/testing-security.html=20 [5] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0565 [6] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0564 [7] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0406 [8] http://www.sfritsch.de/debian/exiftest.jpg [9] convert is from package "imagemagick" and exif is from "exif" [10] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-1308 [11] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1345 [12] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1121 [13] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0206 [14] http://secure-testing.alioth.debian.org/secure-testing-team@lists.alioth.debian.org [15] http://secure-testing.alioth.debian.org/secure-testing-commits@lists.alioth.debian.org [16] http://lists.debian.org/debian-security/2004/10/msg00166.html
Attachment:
signature.asc
Description: Digital signature