Several security issues seeking help
As I promised before, here a list of a few security issues that
are not yet fixed in woody, and won't mind a little bit of help from
interested people. This list was kindly given to me by Matt Zimmerman,
so unlike Michael Stone suggested, I don't think this is a real waste
of time, just like I think having bugs reported about these issues
wouldn't be a waste of time either (and would be in line with the Social
Contract's "We will not hide problems"). Let's see whether indeed making
these issues better known like I'm doing this way, helps.
"Stack-based buffer overflow in the ssl_util_uuencode_binary function
in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust
the issuing CA, may allow remote attackers to execute arbitrary code
via a client certificate with a long subject DN."
Question: does this affect woody?
l2tpd buffer overflow posted on Bugtraq:
Does this affect woody? If so, proper patch?
libpng and RHSA-2004-181:
Was Debian's DSA-498 complete? RedHat announced a fix two
times about it, RHSA-2004-180 and RHSA-2004-181. Did DSA-498 cover
Matt Zimmerman said: "I heard about a gnome-vfs bug recently as well;
I would like to know if it affects woody".
I couldn't find any reference to a recent report about this.
squirrelmail cross-site scripting issues in 1.2.x: RS-2004-1:
As noted in the bugreport, there were some XSS issues fixed in the
1.2.x stable branch, that haven't hit any security list, and still are
left unfixed in woody.
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)