Should we be alarmed at our state of security support?

To: debian-security@lists.debian.org
Subject: Should we be alarmed at our state of security support?
From: John Goerzen <jgoerzen@complete.org>
Date: Wed, 18 Feb 2015 08:11:50 -0600
Message-id: <[🔎] 54E49DA6.7050306@complete.org>

Hi folks,

So I recently downloaded and installed debsecan on several of my
machines.  These are all fully up-to-date machines, running either
wheezy or jessie.  For now I'll just focus on wheezy since it's where
our security focus should go.

On this machine, it found 472 vulnerabilities.  Quite a few of them fit
into the remotely exploitable, high urgency category.  Many date back to
last year, some as far back as 2012.  I've included a few examples at
the end.

Now, it is possible with some of these that the security-tracker
database ought to be updated to reflect that there is not a true
vulnerability.  However, many of them seem to be existing issues that
just got forgotten somehow.  I've traced a few through bug reports and such.

I wonder:

Are we already aware of these issues?

Do we have plans to fix them?

Do we know what would be helpful to fix them?

Thanks,

John


CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...
  <http://security-tracker.debian.org/tracker/CVE-2013-1961>
  - libtiff4 (remotely exploitable, high urgency)

CVE-2014-1912 Buffer overflow in the socket.recvfrom_into function...
  <http://security-tracker.debian.org/tracker/CVE-2014-1912>
  - python2.6, python2.6-minimal (remotely exploitable, high urgency)

CVE-2014-9656 The tt_sbit_decoder_load_image function in...
  <http://security-tracker.debian.org/tracker/CVE-2014-9656>
  - libfreetype6 (remotely exploitable, high urgency)

CVE-2015-0231 Use-after-free vulnerability in the...
  <http://security-tracker.debian.org/tracker/CVE-2015-0231>
  - php5-cgi, php5-gd, php-pear, php5-curl, php5-common, php5-pspell,
    php5-mcrypt, php5-cli, php5, php5-ldap, php5-imap, php5-mysql,
    php5-intl (remotely exploitable, high urgency)

CVE-2015-1462 ClamAV before 0.98.6 allows remote attackers to have...
  <http://security-tracker.debian.org/tracker/CVE-2015-1462>
  - clamav, libclamav6, clamav-freshclam, clamav-base, clamav-daemon
    (remotely exploitable, high urgency)

CVE-2010-5312 Cross-site scripting (XSS) vulnerability in...
  <http://security-tracker.debian.org/tracker/CVE-2010-5312>
  - libjs-jquery-ui (remotely exploitable, medium urgency)

Reply to:

Follow-Ups:
- Re: Should we be alarmed at our state of security support?
  - From: Gionni FireGarden <firegarden.co@gmail.com>
- Re: Should we be alarmed at our state of security support?
  - From: "Thijs Kinkhorst" <thijs@debian.org>
- Re: Should we be alarmed at our state of security support?
  - From: Michael Gilbert <mgilbert@debian.org>

Prev by Date: Missing tiff3 patch in security repo
Next by Date: Re: Should we be alarmed at our state of security support?
Previous by thread: Re: Missing tiff3 patch in security repo
Next by thread: Re: Should we be alarmed at our state of security support?
Index(es):
- Date
- Thread