Security status of Etch
The current security state of testing looks quite well. I'd
like to point out some issues you might not be aware of, as they
are not tracked by RC bugs.
This mail also lists some issues I'd like to have resolved and where
help is very welcome, as quite some stable-security work has piled
up.
Only two security fixes are currently stuck by deps, which is
really nice:
- blender/CVE-2005-4470 - blocked by libraw transition
- hyperestraier/CVE-2006-3671 - blocked by qdbm
Some security issues need further attention:
- Imagemagick needs a co-maintainer. The current maintainer seems
really busy and hasn't replied to mail with patches since about
a month. It also needs a fix for #393025, it anyone wants to NMU
please ping me for a patch.
- libmad seems to have DoS potential with apparently no fix available
for quite some time, see #287519
- openssh-krb5 is outdated, maintaining openssh 3.8 further would
be a PITA. Maintainer intent to transition to the stock openssh
package (#390986).
- libavcodec only provided static linking in Sarge and provides
shared libs in Etch. Someone needs to check all packages using
libavcodec and libavformat and verify that they no longer link
statically.
- I've heard that python2.3 might be dropped, what's the status?
- There are two vulnerabilities in the non-free Sun Java. As non-free
doesn't have security support pre-release seems the right time
to have it updated:
1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426
(Apparently no bug exists, might be fixed already, but needs
verification)
2. #393042
Cheers,
Moritz
Reply to: