[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security in sarge

On Mon, Sep 27, 2004 at 08:41:13PM -0400, Joey Hess wrote:
> Martin Schulze wrote:
> > ruby 1.8.1+1.8.2pre1-4 needed, have 1.8.1-8 for DSA-537

> This is fixed in ruby1.8 in testing; ruby itself is a dependency package.
> I don't know if ruby1.7 was/is vulnetable, do you?

Probably ruby1.6 rather than ruby1.7; the latter is not in sarge.

> > pavuk (unfixed; bug #264684) for DSA-527

> pavuk 0.9pl28-3 fixed that. #264684 is left open only for the other
> security hole mentioned there. We might need a DSA for that hole..
> I'm not explicitly tracking it since it already has an RC bug.

Package is in a weird state in the archive (binaries but no sources);
requires an ftpmaster to look at it, preferably for removal from sarge.

> > sredird vulnerability in testing/unstable

> Since we have a RC bug (#267098), I won't bother to track it.

Package is also not in testing.

> > CAN-2004-0781: icecast-server 1.3.12-8 needed (DSA 541)
> > CAN-2004-0794: krb5 1.3.4-3 needed (DSA 543)
> > CAN-2004-0645: wv (DSA 550)

> I'm tracking all of these; krb5 and icecast-server are already fixed.

And fixed in testing, to be precise.

> wv (unfixed; bug #264972) for DSA-550-1
> gtk+2.0 2.4.9-2 needed, have 2.4.9-1 for DSA-549-1
> kdelibs 4:3.3.0-1 needed, have 4:3.2.3-2 for DSA-539
> rlpr (unfixed; bug #255402) for DSA-524

rlpr is in the same state as pavuk above.

kdelibs is also supposed to be fixed in 4:3.2.3-3.sarge.2 in
testing-proposed-updates, currently waiting on missing mips binaries
(caused by lack of available autobuilder for this arch).

gtk+2.0 is waiting on a requeue for m68k, following an interrupted build
attempt.  Mail sent to the m68k buildd list requesting someone to look
at this.

The wv bug is tagged as fixed in NMU by version 1.0.2-0.1, which is in

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: