[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Snort: Mass Bug Closing

Quoting Matt Zimmerman (mdz@debian.org):
> > I'm about to close 95153, 133049, 158040, 165555, 170580, 173331, 176223,
> > 135603, 161659, 165107, 165135, 165351, 171190, 172529, 173663, 174506,
> > 174508, 174509, 192401, 193544, 101725, 122689, 159575, 165126, 182280,
> > and 189780 with a nice message telling that the bug was reported on a
> Did you check whether any of these bugs are fixed?  I reported at least one
> of them, and it is definitely not fixed.  You should not close bugs simply
> because they are old.

Yes. IMHO all these bugs are fixed in the new packages I provided for
stable users on p.d.o/~ssmeenk/

> > Before you object to this rather 'rude' bughandling, please keep in mind
> > that version 1.8.4 of snort, which is in stable, has 3 severe security
> > exploits, and is completely outdated in catching crooks (rulefiles) and
> > detection mechanisms. Not to speak of package stability ;)
> I think it is quite "rude" to knowingly distribute a package with severe
> security problems without fixing the bugs or even informing other
> developers.

FFS don't act like i'm the bad guy here.

I reported the advisories the minute i heard of them, and that was maybe
a couple of hours after they have been released to the public. A nice
mail went to the security team, and they told me what to do: fix the
package in unstable, and try if i was capable of fixing the stable
version without using new upstream source.

I then told security team I was not capable of doing such a thing. Time
passed and I got a request to create stable packages of new upstream
source and provide them on p.d.o. So i did.

But for as far as I know, those packages went in the advisory, and the
stable archive & stable security updates-apt-source where never updated
with a fixed version of the package. 

> What are these bugs exactly?

If i recall correctly, it was two memory allocation faults in the RPC
code, and one in the fragmented packet reassambly code.

> How long have you been aware of them?

As long as the security team was.

> Or are you perhaps not aware of DSA-297?

I knew it was released, but I probably looked over the fact that indeed
the stable version of the snort-package /has/ been fixed. That was
stupid of me.

| Amnesia used to be my favorite word, but then I forgot it.
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8  9BDB D463 7E41 08CE C94D

Reply to: