[Secure-testing-team] Re: [debian-audit] Re: Security audit for
TorrentFlux
Stefan Fritsch
sf at sfritsch.de
Mon Mar 12 10:54:07 UTC 2007
Hi,
On Monday 12 March 2007 10:13, Javier Fernández-Sanguino Peña wrote:
> On Sun, Mar 11, 2007 at 07:31:16PM -0700, Cameron Dale wrote:
> > unstable (at least, that's how I understand it). So, all the
> > fixes for those bugs have been backported to the 2.1 version that
> > is in unstable.
>
> You *should* update the version in unstable ASAP. Freeze only
> applies to testing, *not* to unstable. The way to get securit fixes
> into testing (when frozen) is through unstable. Even though your
> package is not in testing you should make every effort to keep
> unstable security-bug-free. Please mention all CVE names in the
> changelog fixed in your new upload (like you did for 2.1-7)
All open issues are fixed in unstable in 2.1-7, see
http://security-tracker.debian.net/tracker/source-package/torrentflux
Some more thoughts:
- when I looked through it, I found far fewer issues than I expected
(though I still think that the code quality is very bad). However, I
am also not a PHP expert and would not consider what I did to be a
full audit.
- AFAIR most if not all issues were only for authenticated users, so
maybe one could add a note that it should be only used with trusted
users. Quake 2 was released with Sarge in this way while having lots
of security issues.
- in November or so I had a discussion with Micah on IRC and we agreed
that we did not see any problems with it being released with etch. I
didn't notice the discussion on debian-release, though.
Cheers,
Stefan
More information about the Secure-testing-team
mailing list