Over the past couple of weeks the testing security team has reviewed all CAN and CVE entries announced since the release of woody, to check which of these security holes are still present in sarge. Adding this to the earlier work to review DSAs, we now have a pretty good picture of unfixed security holes in sarge, and can be reasonably sure that there are no old forgotten security holes that never got a fix into sarge. Although it's always possible we missed some or made mistakes, and we still have 50 or so items marked TODO or HELP. We checked about 2700 items, of these about 600 had affected Debian at some point, and 26 remain unfixed in sarge: kaffeine 0.4.3.1-3 needed, have 0.4.3-1 for CAN-2004-1034 Blocked by kde, t-p-u upload candidate. gxine (unfixed; bug #279747) for CAN-2004-1034 Was supposed to be fixed last weekend, was not, NMU candidate. fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1033 fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1032 fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1031 fcron 2.9.5.1-1 needed, have 2.9.4-3.1 for CAN-2004-1030 Blocked by libselinux (should go in in 4 days). zip 2.30-8 needed, have 2.30-6 for CAN-2004-1010 Held out by missing hppa build. ppp 2.4.2+20040428-3 needed, have 2.4.2+20040428-2 for CAN-2004-1002 Candidate for to be forced into testing, if the diff seems sane to RMs. If not we should backport only the security fix to t-p-u. iptables 1.2.11-4 needed, have 1.2.11-2 for CAN-2004-0986 Candidate for to be forced into testing, if the diff seems sane to RMs. Changes seem minimal and necessary. mailutils 1:0.5-4 needed, have 1:0.5-3 for CAN-2004-0984 A missing mips build apparently happened 5 Nov, but was not uploaded. FTBFS on s390 due to test suite failures, which has happened before (#192962, #265490). perl 5.8.4-4 needed, have 5.8.4-3 for CAN-2004-0976 FTBFS on mipsel due to test suite failures. Note that this happened for -3 also, and yet it somehow got built and into sarge anyway. How? openssl 0.9.7e-1 needed, have 0.9.7d-5 for CAN-2004-0975 New upstream with several security fixes, needs RM review. libc6 (unfixed; bug #278278) for CAN-2004-0968 So far no response from maintainers. NMU candidate, if this wasn't glibc.. samba 3.0.8-1 needed, have 3.0.7-2 for CAN-2004-0930 Missing alpha build from 18th. koffice 1:1.3.4-1 needed, have 1:1.3.2-1.sarge.1 for CAN-2004-0888 kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0746 konqueror 4:3.2.3-1.sarge.1 needed, have 4:3.2.2-1 for CAN-2004-0721 kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0721 kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0690 All of these are fixed in t-p-u, but blocked for well understood reasons. kernel-source-2.4.27 (unfixed; bug #280492) for CAN-2003-0465 strncpy in kernel does not pad with zeroes May not be a RC security hole. ssh (unfixed; bug #281595) for CAN-2003-0190 Limited vulneraility (information leak). apache 1.3.33-2 needed, have 1.3.31-7 for DSA-594-1 Was uploaded with wrong urgency, should have an urgent hint added. libgd1 (unfixed; bug #280134) for DSA-589-1 Unknown delay getting patch applied, NMU candidate. kpdf 4:3.3.1-1 needed, have 4:3.2.3-1.1 for DSA-573-1 kfax 4:3.3.1-1 needed, have 4:3.2.3-1.1 for DSA-573-1 kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for DSA-539 IIRC fixes for these are not in t-p-u yet. -- see shy jo
Attachment:
signature.asc
Description: Digital signature