Re: Several security issues seeking help
On Wed, Jul 07, 2004 at 03:52:27PM +0200, Jeroen van Wolffelaar wrote:
> As I promised before, here a list of a few security issues that
> are not yet fixed in woody, and won't mind a little bit of help from
> interested people. This list was kindly given to me by Matt Zimmerman,
> so unlike Michael Stone suggested, I don't think this is a real waste
> of time, just like I think having bugs reported about these issues
> wouldn't be a waste of time either (and would be in line with the Social
> Contract's "We will not hide problems"). Let's see whether indeed making
> these issues better known like I'm doing this way, helps.
> mod_ssl: CAN-2004-0488:
> "Stack-based buffer overflow in the ssl_util_uuencode_binary function
> in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust
> the issuing CA, may allow remote attackers to execute arbitrary code
> via a client certificate with a long subject DN."
> Question: does this affect woody?
> l2tpd buffer overflow posted on Bugtraq:
> Does this affect woody? If so, proper patch?
yes .. it does. i have a patch which fix the issue. I'll kick this to
get the woody version fixed. (i'm the l2tpd maintainer).
> libpng and RHSA-2004-181:
> Was Debian's DSA-498 complete? RedHat announced a fix two
> times about it, RHSA-2004-180 and RHSA-2004-181. Did DSA-498 cover
> Matt Zimmerman said: "I heard about a gnome-vfs bug recently as well;
> I would like to know if it affects woody".
> I couldn't find any reference to a recent report about this.
> squirrelmail cross-site scripting issues in 1.2.x: RS-2004-1:
> As noted in the bugreport, there were some XSS issues fixed in the
> 1.2.x stable branch, that haven't hit any security list, and still are
> left unfixed in woody.
>  http://lists.debian.org/debian-security/2004/07/msg00036.html
>  http://lists.debian.org/debian-security/2004/07/msg00043.html
>  http://lists.debian.org/debian-security/2004/07/msg00041.html
>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
>  http://seclists.org/lists/bugtraq/2004/Jun/0073.html
>  http://www.nl.debian.org/security/2004/dsa-498
>  http://www.redhat.com/support/errata/RHSA-2004-180.html
>  http://www.redhat.com/support/errata/RHSA-2004-181.html
>  http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
>  http://bugs.debian.org/257973
> Jeroen van Wolffelaar
> Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com
-> Jean-Francois Dive
I think that God in creating Man somewhat overestimated his ability.
-- Oscar Wilde