Re: Security in sarge

To: Debianos Releasis <debian-release@lists.debian.org>
Cc: mdz@debian.org, security@debian.org
Subject: Re: Security in sarge
From: Joey Hess <joeyh@debian.org>
Date: Mon, 27 Sep 2004 20:41:13 -0400
Message-id: <20040928004113.GD12464@kitenet.net>
Mail-followup-to: Debianos Releasis <debian-release@lists.debian.org>, mdz@debian.org, security@debian.org
In-reply-to: <20040926120030.GA838@kyllikki.infodrom.north.de>
References: <20040926120030.GA838@kyllikki.infodrom.north.de>

Martin Schulze wrote:
> ruby 1.8.1+1.8.2pre1-4 needed, have 1.8.1-8 for DSA-537

This is fixed in ruby1.8 in testing; ruby itself is a dependency package.
I don't know if ruby1.7 was/is vulnetable, do you?

> pavuk (unfixed; bug #264684) for DSA-527

pavuk 0.9pl28-3 fixed that. #264684 is left open only for the other
security hole mentioned there. We might need a DSA for that hole..
I'm not explicitly tracking it since it already has an RC bug.

> log2mail (unfixed; bug #264687) for DSA-513

log2mail 0.2.8-3 fixed it.

> slocate (unfixed; bug #226103) for DSA-428

slocate 2.7-3 fixed it.

> sredird vulnerability in testing/unstable

Since we have a RC bug (#267098), I won't bother to track it.

> CAN-2004-0801: foomatic-filters 3.0.1-20040621-4 too old

Fixed by 3.0.2-1 in testing.

> CAN-2004-0806: cdrecord 2.0+a34-1 too old

Fixed by 4:2.0+a34-2, which is in testing.

> CAN-2004-0558: CUPS DoS

This was DSA-545-1, it's fixed by cupsys 1.1.20final+rc1-6 in testing.

> CAN-2004-0752: OpenOffice.org, done in 1.1.2-4

Already in testing.

> CAN-2004-0818: star: local root exploit

I can't track this one as the CAN is reserved and unreleased.

> CAN-2004-0747: Apache 2, done in 2.0.51-2
> CAN-2004-0786: Apache 2, done in 2.0.51-2

Already in testing.

> CAN-2004-0811: Apache 2

I see you've filed a bug on this, so I'll let the usual methods of
RC bug handling ensure this is fixed before sarge release.

> CAN-2004-0809: Apache 2/mod_dav (woody missing)

This is fixed in apache2 2.0.51, in testing. I don't know about woody.

> CAN-2004-0832: squid, done in 2.5.6-8

In testing.

> CAN-2004-0781: icecast-server 1.3.12-8 needed (DSA 541)
> CAN-2004-0794: krb5 1.3.4-3 needed (DSA 543)
> CAN-2004-0645: wv (DSA 550)

I'm tracking all of these; krb5 and icecast-server are already fixed.

> CAN-2004-0749: svn, done in 1.0.8-1

This is an unreleased CAN, according to mitre. I'll pretend you have not
mentioned it. ;-)

> Joey, could you merge this with the list you maintain and post an
> update?

Here's my current list. Note that I actually didn't add anything for the
reasons explained above.

wv (unfixed; bug #264972) for DSA-550-1
gtk+2.0 2.4.9-2 needed, have 2.4.9-1 for DSA-549-1
kdelibs 4:3.3.0-1 needed, have 4:3.2.3-2 for DSA-539
rlpr (unfixed; bug #255402) for DSA-524

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Security in sarge
  - From: Steve Langasek <vorlon@debian.org>
- Re: Security in sarge
  - From: Andres Salomon <dilinger@voxel.net>
- Re: Security in sarge
  - From: Martin Schulze <joey@infodrom.org>

Prev by Date: Re: Bug#273674: ftp.debian.org: please remove libdvbpsi and libdvbpsi2 from testing and unstable
Next by Date: Re: Security in sarge
Previous by thread: Re: Please remove ifrit from testing
Next by thread: Re: Security in sarge
Index(es):
- Date
- Thread