[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security updates without DSA?

Olaf Meeuwissen <olaf@epkowa.co.jp> (that's me!) writes:

> Dear .debs,
> I recently wanted to apply security updates to a machine I'd installed
> from woody pre6 CDs, hardened and upgraded to woody proper.  [...]
> Before applying the upgrades I checked whether there was a DSA for the
> packages that were going to be upgraded.  Surprise, there were several
> that did not (seem to) have a corresponding DSA.
> Question: Is that normal and OK?
> Packages in question are, amongst others, fetchmail-ssl, kmail, kppp,
> korn, kit ksirc and several other KDE packages.  Since there are DSA's
> for openssl and kdelibs, my guess is that the aforementioned packages
> are "just" recompiles against the fixed libraries.  Should there not
> be DSA's for that as well?
>   After all, the package seems to be affected by the security issue to
> some extent (otherwise recompilation is rather pointless).

I looked into this a bit more and from the changelogs it seems that it
really concerned security upgrades.  In the case of fetchmail-ssl, the
woody release shipped with 5.9.11-5, the upgrade is 5.9.11-6 and the
changelog says:

  fetchmail (5.9.11-6) testing-security; urgency=high

    * SECURITY FIX: avoid buffer overflow on 64bit archs (imap.c)
      This is a remote-expolitable buffer overflow, if the imap server
      is hostile (backported from new upstream 5.9.12, bug found and
      fixed by Nalin Dahyabhai)
    * Minor fix to avoid leaking children (driver.c)
      (backported from new upstream 5.9.12)
    * Avoid trying to speak kpop to a imap server (driver.c)
      (backported from new upstream 5.9.12)
    * MINOR SECURITY FIX: better password shrounding (fetchmail.h, imap.c,
      transact.c) (backported from new upstream 5.9.12)
    * Handle empty addresses from a To: header containing only a comment
      (transact.c) (backported from new upstream 5.9.12)

   -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat,  8 Jun 2002 09:40:46 -0300

For the KDE packages I found out that they all come from the same
source package: kdenetwork.  The woody release shipped 4:2.2.2-14, the
upgrade is 4:2.2.2-14.0woody1 and the changelog says:

  kdenetwork (4:2.2.2-14.0woody1) testing-security; urgency=high

    * NMU by the security team.
      - Fix format string bug (Closes: #147762)

   -- Daniel Jacobowitz <dan@debian.org>  Sun,  7 Jul 2002 14:12:03 -0400

So we have one maintainer and one security team upgrade for the woody
distribution that have never been publicly announced.  From the looks
of it, it would seem that these upgrades somehow got lost (them being
upgrades to *testing*).  I am aware of the fact that security for the
testing distribution is non-existent, but as woody is now stable, I'd
say these are security issues for the stable distribution and should
probably be announced (even if it's a bit late).

Hope this helps,
Olaf Meeuwissen                            EPSON KOWA Corporation, ECS
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2               -- I hack, therefore I am --                 BOFH

Reply to: