to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)
- To: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
- Cc: email@example.com
- Subject: to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)
- From: Joey Hess <firstname.lastname@example.org>
- Date: Sun, 28 May 2000 22:56:33 -0700
- Message-id: <20000528225633.L6106@kitenet.net>
- Mail-followup-to: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com
Ok, since nobody from the security team replied to my earlier question,
all I can do is ask it again:
Why is the last security update listed on the www.debian.org web page,
and the last security announcement posted to debian-security-announce,
from way back in March?
I know there have been more recent security updates, based on the thread
that resulted from my question. A lot of them. So why is the security
team not doing anything to get those announced?
Again, the web site says:
[28 Mar 2000] dump -
reported exploit in dump
[09 Mar 2000] mtr -
possible local exploit in mtr
[28 Feb 2000] nmh -
remote exploit in nmh
[26 Feb 2000] htdig -
remote users can read files with webserver uid
[14 Feb 2000] make -
symlink attack in make
[01 Feb 2000] apcd -
symlink attack in apcd
While a quick grep of debian-changes for this month and April for
imap (4.7c-1) frozen; urgency=high
* SECURITY: addresses buffer overflow problems mentioned on BugTraq
zope (2.1.6-1) frozen; urgency=high
* To the release manager: As you can see from changelog.gz, 2.1.6
and 2.1.5 were bug fix releases only. Among the fixed bugs are
two fixes for potential security holes, therefore I think this
release should go into potato:
- Fixed a bug that could allow someone with a lot of Zope zen
to change the apparent AUTHENTICATED_USER to access things
that they shouldn't.
- Fixed a potential security hole that could allow users with
permission to add Folders and edit DTML (and a who have a
lot of Zope zen) to get access to things that they shouldn't.
horde (2:1.2.0-1.pre11.6) frozen unstable; urgency=low
* Upstream security update
imp (2:2.2.0-1.pre11.6) frozen unstable; urgency=low
* Upstream secuirty fixes
apache (1.3.9-13) frozen unstable; urgency=medium
* [RC, security] Backported security fix for Cross Site Scripting issue
(CERT Advisory CA-2000-02) from apache 1.3.11 patch.
kon2 (0.3.9b-0slink1) stable; urgency=high
* [Security FIX] buffer overrun security problem fixed.
xlockmore (4.12-4.1) stable; urgency=high
* Non-maintainer upload by security team
* Fix buffer overflow in resource handling
orbit (0.5.0-5) frozen unstable; urgency=medium
* Postinst for liborbit0 creates default /etc/orbitrc, if none exists.
Default file disables tcp, for security (closes: Bug#52519). More
dhelp (0.3.23) unstable frozen; urgency=low
* dsearch: security fix for glimpse's temp files (#60853)
mh (6.8.4-JP-3.03-32.3) frozen unstable; urgency=low
* Fix another security hole related to the previous fix.
(buffer overflow problem in quote escape)
freewnn (1.1.0+1.1.1-a016-1) frozen; urgency=low
* New upstream release with security-related fixes.
- fixes for msg_open() bug ([freewnn:00350]).
- freewnn-size_limit.diff ([freewnn:00361]).
- freewnn-mkdir.diff ([freewnn:00359]).
roxen (1.2beta2-3.1) stable; urgency=high
* Security fix - html encoding the output of the tags
referer, accept-language, clientname, file
Attacker can include code to be parsed by the server
floppybackup (1.3-2) stable; urgency=high
* Security Fix - fixed temporary file use
mtr (0.28-1) stable; urgency=high
* Security fix for theoretical stack-smash-and-fork attack -
s/seteuid/setuid/ in mtr.c
nmh (0.27-0.28-pre8-4) stable; urgency=high
* Applied patch to fix security hole which allowed untrusted shell
code to be executed.
w3m (0.1.8-1) frozen unstable; urgency=medium
* new upstream version
- security fix potential buffer overflow exploit
angband (290-1) unstable; urgency=low
* Update files in /var/lib/games/angband/data/ on install. Also, make
sure that the scores files are not owned by first player that runs the
game, this fixes a (minor) security issue.
see shy jo