[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Several security issues seeking help

On Wed, Jul 07, 2004 at 03:52:27PM +0200, Jeroen van Wolffelaar wrote:
> As I promised[1] before[2], here a list of a few security issues that
> are not yet fixed in woody, and won't mind a little bit of help from
> interested people. This list was kindly given to me by Matt Zimmerman,
> so unlike Michael Stone suggested[3], I don't think this is a real waste
> of time, just like I think having bugs reported about these issues
> wouldn't be a waste of time either (and would be in line with the Social
> Contract's "We will not hide problems"). Let's see whether indeed making
> these issues better known like I'm doing this way, helps.
> mod_ssl: CAN-2004-0488[4]:
>   "Stack-based buffer overflow in the ssl_util_uuencode_binary function
>   in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust
>   the issuing CA, may allow remote attackers to execute arbitrary code
>   via a client certificate with a long subject DN."
>   Question: does this affect woody?
> l2tpd buffer overflow posted on Bugtraq[5]:
>   Does this affect woody? If so, proper patch?

yes .. it does. i have a patch which fix the issue. I'll kick this to
get the woody version fixed. (i'm the l2tpd maintainer).

> libpng and RHSA-2004-181:
>   Was Debian's DSA-498[6] complete? RedHat announced a fix two
>   times about it, RHSA-2004-180[7] and RHSA-2004-181[8]. Did DSA-498 cover
>   both?
> gnome-vfs:
>   Matt Zimmerman said: "I heard about a gnome-vfs bug recently as well;
>   I would like to know if it affects woody".
>   I couldn't find any reference to a recent report about this.
> squirrelmail cross-site scripting issues in 1.2.x: RS-2004-1[9]:
>   As noted in the bugreport[10], there were some XSS issues fixed in the
>   1.2.x stable branch, that haven't hit any security list, and still are
>   left unfixed in woody.
> --Jeroen
> [1] http://lists.debian.org/debian-security/2004/07/msg00036.html
> [2] http://lists.debian.org/debian-security/2004/07/msg00043.html
> [3] http://lists.debian.org/debian-security/2004/07/msg00041.html
> [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
> [5] http://seclists.org/lists/bugtraq/2004/Jun/0073.html
> [6] http://www.nl.debian.org/security/2004/dsa-498
> [7] http://www.redhat.com/support/errata/RHSA-2004-180.html
> [8] http://www.redhat.com/support/errata/RHSA-2004-181.html
> [9] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
> [10] http://bugs.debian.org/257973
> -- 
> Jeroen van Wolffelaar
> Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
> http://Jeroen.A-Eskwadraat.nl
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


-> Jean-Francois Dive
--> jef@linuxbe.org

  I think that God in creating Man somewhat overestimated his ability.
    -- Oscar Wilde

Reply to: