Re: Several security issues seeking help

To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Cc: debian-security@lists.debian.org
Subject: Re: Several security issues seeking help
From: Jean-Francois Dive <jef@debian.org>
Date: Thu, 8 Jul 2004 11:23:43 +0200
Message-id: <[🔎] 20040708092343.GC10683@gnoll.ath.cx>
In-reply-to: <[🔎] 20040707135227.GO9109@A-Eskwadraat.nl>
References: <[🔎] 20040707135227.GO9109@A-Eskwadraat.nl>

On Wed, Jul 07, 2004 at 03:52:27PM +0200, Jeroen van Wolffelaar wrote:
> As I promised[1] before[2], here a list of a few security issues that
> are not yet fixed in woody, and won't mind a little bit of help from
> interested people. This list was kindly given to me by Matt Zimmerman,
> so unlike Michael Stone suggested[3], I don't think this is a real waste
> of time, just like I think having bugs reported about these issues
> wouldn't be a waste of time either (and would be in line with the Social
> Contract's "We will not hide problems"). Let's see whether indeed making
> these issues better known like I'm doing this way, helps.
> 
> mod_ssl: CAN-2004-0488[4]:
> 
>   "Stack-based buffer overflow in the ssl_util_uuencode_binary function
>   in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust
>   the issuing CA, may allow remote attackers to execute arbitrary code
>   via a client certificate with a long subject DN."
> 
>   Question: does this affect woody?
> 
> l2tpd buffer overflow posted on Bugtraq[5]:
> 
>   Does this affect woody? If so, proper patch?

yes .. it does. i have a patch which fix the issue. I'll kick this to
get the woody version fixed. (i'm the l2tpd maintainer).

> 
> libpng and RHSA-2004-181:
> 
>   Was Debian's DSA-498[6] complete? RedHat announced a fix two
>   times about it, RHSA-2004-180[7] and RHSA-2004-181[8]. Did DSA-498 cover
>   both?
> 
> gnome-vfs:
> 
>   Matt Zimmerman said: "I heard about a gnome-vfs bug recently as well;
>   I would like to know if it affects woody".
> 
>   I couldn't find any reference to a recent report about this.
> 
> squirrelmail cross-site scripting issues in 1.2.x: RS-2004-1[9]:
> 
>   As noted in the bugreport[10], there were some XSS issues fixed in the
>   1.2.x stable branch, that haven't hit any security list, and still are
>   left unfixed in woody.
> 
> --Jeroen
> 
> [1] http://lists.debian.org/debian-security/2004/07/msg00036.html
> [2] http://lists.debian.org/debian-security/2004/07/msg00043.html
> [3] http://lists.debian.org/debian-security/2004/07/msg00041.html
> [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
> [5] http://seclists.org/lists/bugtraq/2004/Jun/0073.html
> [6] http://www.nl.debian.org/security/2004/dsa-498
> [7] http://www.redhat.com/support/errata/RHSA-2004-180.html
> [8] http://www.redhat.com/support/errata/RHSA-2004-181.html
> [9] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
> [10] http://bugs.debian.org/257973
> 
> -- 
> Jeroen van Wolffelaar
> Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
> http://Jeroen.A-Eskwadraat.nl
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-- 
--

-> Jean-Francois Dive
--> jef@linuxbe.org

  I think that God in creating Man somewhat overestimated his ability.
    -- Oscar Wilde

Reply to:

References:
- Several security issues seeking help
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Prev by Date: Re: A question about : [Fwd: JULY 6th Lead Training 3 tips for working leads]
Next by Date: Re: A question about : [Fwd: JULY 6th Lead Training 3 tips for working leads]
Previous by thread: Re: Several security issues seeking help
Next by thread: A question about : [Fwd: JULY 6th Lead Training 3 tips for working leads]
Index(es):
- Date
- Thread