Re: libpng CVE-2006-7244/CVE-2009-5063

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: debian-security@lists.debian.org
Subject: Re: libpng CVE-2006-7244/CVE-2009-5063
From: Henri Salo <henri@nerv.fi>
Date: Sun, 24 Jul 2011 18:08:49 +0300
Message-id: <[🔎] 20110724150849.GA25098@foo.fgeek.fi>
In-reply-to: <[🔎] slrnj2ochh.aqm.jmm@inutil.org>
References: <[🔎] 20110724133148.GA24345@foo.fgeek.fi> <[🔎] slrnj2ochh.aqm.jmm@inutil.org>

On Sun, Jul 24, 2011 at 04:54:41PM +0200, Moritz Mühlenhoff wrote:
> Henri Salo <henri@nerv.fi> schrieb:
> > There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see from:
> >
> > http://security-tracker.debian.org/tracker/source-package/libpng
> >
> > The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of the issues are: "package libpng is vulnerable; however, the security impact is unimportant.", but I think these aren't unimportant as you can see from here:
> >
> > http://www.openwall.com/lists/oss-security/2011/03/22/7
> > http://www.openwall.com/lists/oss-security/2011/03/28/6
> >
> > Is there a plan to fix these issues? Should I create a bug-report?
> 
> It's fixed already since 1.2.39-1 for both issues.
> 
> Cheers,
>         Moritz

Well the tracker says the status for both CVEs is vulnerable. Please note that I am talking about oldstable.

Best regards,
Henri Salo

Reply to:

Follow-Ups:
- Re: libpng CVE-2006-7244/CVE-2009-5063
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- libpng CVE-2006-7244/CVE-2009-5063
  - From: Henri Salo <henri@nerv.fi>
- Re: libpng CVE-2006-7244/CVE-2009-5063
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: libpng CVE-2006-7244/CVE-2009-5063
Next by Date: Re: libpng CVE-2006-7244/CVE-2009-5063
Previous by thread: Re: libpng CVE-2006-7244/CVE-2009-5063
Next by thread: Re: libpng CVE-2006-7244/CVE-2009-5063
Index(es):
- Date
- Thread