[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Several security issues seeking help

As I promised[1] before[2], here a list of a few security issues that
are not yet fixed in woody, and won't mind a little bit of help from
interested people. This list was kindly given to me by Matt Zimmerman,
so unlike Michael Stone suggested[3], I don't think this is a real waste
of time, just like I think having bugs reported about these issues
wouldn't be a waste of time either (and would be in line with the Social
Contract's "We will not hide problems"). Let's see whether indeed making
these issues better known like I'm doing this way, helps.

mod_ssl: CAN-2004-0488[4]:

  "Stack-based buffer overflow in the ssl_util_uuencode_binary function
  in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust
  the issuing CA, may allow remote attackers to execute arbitrary code
  via a client certificate with a long subject DN."

  Question: does this affect woody?

l2tpd buffer overflow posted on Bugtraq[5]:

  Does this affect woody? If so, proper patch?

libpng and RHSA-2004-181:

  Was Debian's DSA-498[6] complete? RedHat announced a fix two
  times about it, RHSA-2004-180[7] and RHSA-2004-181[8]. Did DSA-498 cover


  Matt Zimmerman said: "I heard about a gnome-vfs bug recently as well;
  I would like to know if it affects woody".

  I couldn't find any reference to a recent report about this.

squirrelmail cross-site scripting issues in 1.2.x: RS-2004-1[9]:

  As noted in the bugreport[10], there were some XSS issues fixed in the
  1.2.x stable branch, that haven't hit any security list, and still are
  left unfixed in woody.


[1] http://lists.debian.org/debian-security/2004/07/msg00036.html
[2] http://lists.debian.org/debian-security/2004/07/msg00043.html
[3] http://lists.debian.org/debian-security/2004/07/msg00041.html
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
[5] http://seclists.org/lists/bugtraq/2004/Jun/0073.html
[6] http://www.nl.debian.org/security/2004/dsa-498
[7] http://www.redhat.com/support/errata/RHSA-2004-180.html
[8] http://www.redhat.com/support/errata/RHSA-2004-181.html
[9] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
[10] http://bugs.debian.org/257973

Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)

Reply to: