[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security status of Etch

The current security state of testing looks quite well. I'd
like to point out some issues you might not be aware of, as they
are not tracked by RC bugs.
This mail also lists some issues I'd like to have resolved and where
help is very welcome, as quite some stable-security work has piled

Only two security fixes are currently stuck by deps, which is
really nice:
- blender/CVE-2005-4470 - blocked by libraw transition
- hyperestraier/CVE-2006-3671 - blocked by qdbm

Some security issues need further attention:

- Imagemagick needs a co-maintainer. The current maintainer seems
  really busy and hasn't replied to mail with patches since about
  a month. It also needs a fix for #393025, it anyone wants to NMU
  please ping me for a patch.
- libmad seems to have DoS potential with apparently no fix available
  for quite some time, see #287519
- openssh-krb5 is outdated, maintaining openssh 3.8 further would
  be a PITA. Maintainer intent to transition to the stock openssh
  package (#390986).
- libavcodec only provided static linking in Sarge and provides
  shared libs in Etch. Someone needs to check all packages using
  libavcodec and libavformat and verify that they no longer link
- I've heard that python2.3 might be dropped, what's the status?
- There are two vulnerabilities in the non-free Sun Java. As non-free
  doesn't have security support pre-release seems the right time
  to have it updated:
  1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426
     (Apparently no bug exists, might be fixed already, but needs
  2. #393042


Reply to: