[Secure-testing-team] Re: report on current state of sarge security

Steve Langasek vorlon at debian.org
Sat Nov 27 10:08:25 UTC 2004

Updates to these:

On Tue, Nov 23, 2004 at 03:15:17PM -0500, Joey Hess wrote:
> gxine (unfixed; bug #279747) for CAN-2004-1034
> 	Was supposed to be fixed last weekend, was not, NMU candidate.

This is fixed in gxine 0.4-rc1 in unstable.  Held out by atk1.0 (8 of 10
days), pango1.0 (3 of 10 days, missing powerpc build).

> fcron needed, have 2.9.4-3.1 for CAN-2004-1033
> fcron needed, have 2.9.4-3.1 for CAN-2004-1032
> fcron needed, have 2.9.4-3.1 for CAN-2004-1031
> fcron needed, have 2.9.4-3.1 for CAN-2004-1030
> 	Blocked by libselinux (should go in in 4 days).

Reset by a libselinux upload, now needs 9 more days; will revisit w/ Manoj
after the weekend to see if the urgency can be bumped.

> zip 2.30-8 needed, have 2.30-6 for CAN-2004-1010
> 	Held out by missing hppa build.

Made it to testing.

> ppp 2.4.2+20040428-3 needed, have 2.4.2+20040428-2 for CAN-2004-1002
> 	Candidate for to be forced into testing, if the diff seems sane
> 	to RMs. If not we should backport only the security fix to t-p-u.

I've reviewed this and it looks ok to me, though it seems that the fix for
278082 actually exacerbated the problem by breaking IPX on older kernels as
well.  Waiting for maintainer's response before pushing this one in.

> iptables 1.2.11-4 needed, have 1.2.11-2 for CAN-2004-0986
> 	Candidate for to be forced into testing, if the diff seems sane
> 	to RMs. Changes seem minimal and necessary.


> perl 5.8.4-4 needed, have 5.8.4-3 for CAN-2004-0976
> 	FTBFS on mipsel due to test suite failures.
> 	Note that this happened for -3 also, and yet it somehow got built
> 	and into sarge anyway. How?

Probably a hand-build outside the autobuilders. <sigh>

> openssl 0.9.7e-1 needed, have 0.9.7d-5 for CAN-2004-0975
> 	New upstream with several security fixes, needs RM review.

Reviewed and approved.

> samba 3.0.8-1 needed, have 3.0.7-2 for CAN-2004-0930
> 	Missing alpha build from 18th.

Expected to go in tomorrow.

> apache 1.3.33-2 needed, have 1.3.31-7 for DSA-594-1
> 	Was uploaded with wrong urgency, should have an urgent hint added.

Urgent hint added.

Thanks to all who've worked on this massive security review.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20041127/3ce15e0e/attachment.pgp

More information about the Secure-testing-team mailing list