[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)

Ok, since nobody from the security team replied to my earlier question,
all I can do is ask it again:

Why is the last security update listed on the www.debian.org web page,
and the last security announcement posted to debian-security-announce,
from way back in March? 

I know there have been more recent security updates, based on the thread
that resulted from my question. A lot of them. So why is the security
team not doing anything to get those announced?

Again, the web site says:

                       [28 Mar 2000] dump - 
                            reported exploit in dump
                       [09 Mar 2000] mtr - 
                            possible local exploit in mtr
                       [28 Feb 2000] nmh - 
                            remote exploit in nmh
                       [26 Feb 2000] htdig - 
                            remote users can read files with webserver uid
                       [14 Feb 2000] make - 
                            symlink attack in make
                       [01 Feb 2000] apcd - 
                            symlink attack in apcd

While a quick grep of debian-changes for this month and April for
"security" finds:

imap (4.7c-1) frozen; urgency=high
  * SECURITY: addresses buffer overflow problems mentioned on BugTraq

zope (2.1.6-1) frozen; urgency=high
  * To the release manager: As you can see from changelog.gz, 2.1.6
    and 2.1.5 were bug fix releases only. Among the fixed bugs are
    two fixes for potential security holes, therefore I think this
    release should go into potato:
        - Fixed a bug that could allow someone with a lot of Zope zen
          to change the apparent AUTHENTICATED_USER to access things
          that they shouldn't.
        - Fixed a potential security hole that could allow users with
          permission to add Folders and edit DTML (and a who have a
          lot of Zope zen) to get access to things that they shouldn't.

horde (2:1.2.0-1.pre11.6) frozen unstable; urgency=low
  * Upstream security update

imp (2:2.2.0-1.pre11.6) frozen unstable; urgency=low
  * Upstream secuirty fixes

apache (1.3.9-13) frozen unstable; urgency=medium
  * [RC, security] Backported security fix for Cross Site Scripting issue
    (CERT Advisory CA-2000-02) from apache 1.3.11 patch.

kon2 (0.3.9b-0slink1) stable; urgency=high
   * [Security FIX] buffer overrun security problem fixed.

xlockmore (4.12-4.1) stable; urgency=high
   * Non-maintainer upload by security team
   * Fix buffer overflow in resource handling

orbit (0.5.0-5) frozen unstable; urgency=medium
  * Postinst for liborbit0 creates default /etc/orbitrc, if none exists.
    Default file disables tcp, for security (closes: Bug#52519).  More

dhelp (0.3.23) unstable frozen; urgency=low
  * dsearch: security fix for glimpse's temp files (#60853)

mh (6.8.4-JP-3.03-32.3) frozen unstable; urgency=low
  * Fix another security hole related to the previous fix.
    (buffer overflow problem in quote escape)

freewnn (1.1.0+1.1.1-a016-1) frozen; urgency=low
  * New upstream release with security-related fixes.
    - fixes for msg_open() bug ([freewnn:00350]).
    - freewnn-size_limit.diff ([freewnn:00361]).
    - freewnn-mkdir.diff ([freewnn:00359]).

roxen (1.2beta2-3.1) stable; urgency=high
   * Security fix - html encoding the output of the tags
     referer, accept-language, clientname, file
     Attacker can include code to be parsed by the server

floppybackup (1.3-2) stable; urgency=high
   * Security Fix - fixed temporary file use

mtr (0.28-1) stable; urgency=high
   * Security fix for theoretical stack-smash-and-fork attack -
     s/seteuid/setuid/ in mtr.c

nmh (0.27-0.28-pre8-4) stable; urgency=high
   * Applied patch to fix security hole which allowed untrusted shell
     code to be executed.

w3m (0.1.8-1) frozen unstable; urgency=medium
  * new upstream version
  - security fix potential buffer overflow exploit

angband (290-1) unstable; urgency=low
  * Update files in /var/lib/games/angband/data/ on install. Also, make
    sure that the scores files are not owned by first player that runs the
    game, this fixes a (minor) security issue.

see shy jo

Reply to: