Re: unfixed security holes in testing

To: debian-release@lists.debian.org
Subject: Re: unfixed security holes in testing
From: Steve Langasek <vorlon@debian.org>
Date: Tue, 4 Jan 2005 00:28:33 -0800
Message-id: <[🔎] 20050104082830.GB18354@mauritius.dodds.net>
Mail-followup-to: debian-release@lists.debian.org
In-reply-to: <20041230211235.GA930@kitenet.net>
References: <20041230211235.GA930@kitenet.net>

On Thu, Dec 30, 2004 at 04:12:35PM -0500, Joey Hess wrote:
> YA report on security holes that are fixed in unstable but not yet in
> testing. Executive summary: gcc-3.4 is blocking many security fixes, KDE
> continues to suck. Also, a RM should look at mtr.

> groff 1.18.1.1-5 needed, have 1.18.1.1-3 for CAN-2004-1296
> 	Frozen also blocked by gcc-3.4.

Fixed, now that gcc-3.4 is cleared.

> nasm 0.98.38-1.1 needed, have 0.98.38-1 for CAN-2004-1287
> 	Should go in after ~3 days

Yep, done.

> cupsys 1.1.22-2 needed, have 1.1.20final+rc1-10 for CAN-2004-1270
> cupsys 1.1.22-2 needed, have 1.1.20final+rc1-10 for CAN-2004-1269
> cupsys 1.1.22-2 needed, have 1.1.20final+rc1-10 for CAN-2004-1268
> cupsys 1.1.22-2 needed, have 1.1.20final+rc1-10 for CAN-2004-1267
> 	Delayed by frequent uploads which include another possible
> 	security hole, due in 3 days barring more uploads.

Also done now.

> abcm2ps 4.8.5-1 needed, have 4.6.7-1 for CAN-2004-1258
> 	Uploaded at too low urgency (low); now 7 of 10 days old.

Made it in on its own.

> mtr 0.67-1 needed, have 0.58-1 for CAN-2004-1224
> 	Frozen, fix is in new upstream version.
> 	Needs RM dsecision or t-p-u upload.

Approved by Colin.

> vim 1:6.3-046+0sarge1 needed, have 1:6.3-013+2 for CAN-2004-1138
> 	Blocked by gcc-3.4, FTBFS on arm for unknown reason.

Still broken on arm.

> xpdf 3.0.0-11 needed, have 3.00-10 for CAN-2004-1125
> 	Blocked by gcc-3.4.

Done now.

> kernel-source-2.4.27 2.4.27-7 needed, have 2.4.27-6 for CAN-2004-1074
> kernel-source-2.4.27 2.4.27-7 needed, have 2.4.27-6 for CAN-2004-1068
> kernel-image-2.4.27-i386 2.4.27-7 needed, have 2.4.27-6 for CAN-2004-1016
> kernel-source-2.4.27 2.4.27-7 needed, have 2.4.27-6 for CAN-2004-0814
> 	Just uploaded, at mostly low urgency.
> 	d-i will need to be updated, as well as other architectures.

The first of these packages is held out by an RC bug and its age, the second
by outdated binary packages that an ftpmaster will have to remove.

> cyrus21-imapd 2.1.17-1 needed, have 2.1.16-10 for CAN-2004-1013
> cyrus21-imapd 2.1.17-1 needed, have 2.1.16-10 for CAN-2004-1012
> 	Still blocked by perl.

No change here.

> mailutils 1:0.5-4 needed, have 1:0.5-3 for CAN-2004-0984
> 	FTBFS on s390, due to massive test suite failures. Possilbly
> 	the test suite wants something that's not present on our s390
> 	buildd? See bug #281653.

Built and uploaded by hand on s390; I've asked the maintainer to coordinate
with the buildd maintainer so that future versions can autobuild again.

> perl 5.8.4-4 needed, have 5.8.4-3 for CAN-2004-0976
> 	Frozen, out of date on arm, mipsel, see discussion after
> 	previous reports, no new progress that I know of.

Also no change, of course.

> libc6 2.3.2.ds1-19 needed, have 2.3.2.ds1-18 for CAN-2004-0968
> 	Frozen; out of date on arm, hppa, m68k; blocked by gcc-3.4.

ds1-20 is in testing now.

> xfree86 4.3.0.dfsg.1-9 needed, have 4.3.0.dfsg.1-8 for CAN-2004-0914
> 	FTBFS on s390 (buildd out of space); blocked by gcc-3-4.

Now at -10, missing an hppa build instead of an s390 build.

> telnetd-ssl 0.17.24+0.1-6 needed, have 0.17.24+0.1-4 for DSA-616-1
> 	Blocked by gcc-3.4.

Done now.

> ethereal 0.10.8-1 needed, have 0.10.6-1 for DSA-613-1
> 	Missing arm build, which happened on the 15th but was not
> 	uploaded.

Still missing the arm build.

> koffice 1:1.3.4-1 needed, have 1:1.3.2-1.sarge.1 for CAN-2004-0888
> kaffeine 0.4.3.1-3 needed, have 0.4.3-1 for CAN-2004-1034
> kdelibs 4:3.3.1-2 needed, have 4:3.2.3-2 for CAN-2004-1171
> kdebase 4:3.3.1-3 needed, have 4:3.2.2-1 for CAN-2004-1171
> kdelibs 4:3.3.1-3 needed, have 4:3.2.3-2 for CAN-2004-1158
> kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0746
> konqueror 4:3.2.3-1.sarge.1 needed, have 4:3.2.2-1 for CAN-2004-0721
> kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0721
> kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for CAN-2004-0690
> kpdf 4:3.3.1-1 needed, have 4:3.2.3-1.1 for DSA-573-1
> kfax 4:3.3.1-1 needed, have 4:3.2.3-1.1 for DSA-573-1
> 	Maye I can stop worrying about these since the new KDE Is
> 	expected to get into testing.

And here's the good news, of course... these are all now fixed, effective
at dinstall on the 4th.

So now people can start worrying about the new batch of KDE security bugs
instead. ;)

-- 
Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: unfixed security holes in testing
  - From: Norbert Tretkowski <tretkowski@inittab.de>

Prev by Date: KDE 3.3.1 in sarge, closes many RC bugs
Next by Date: Re: Final polishing of the KDE 3.3 transition
Previous by thread: KDE 3.3.1 in sarge, closes many RC bugs
Next by thread: Re: unfixed security holes in testing
Index(es):
- Date
- Thread