[Secure-testing-team] Lenny security bug sprint

Devin Carraway devin at debian.org
Wed Nov 26 08:50:19 UTC 2008


On Mon, Nov 17, 2008 at 01:13:23PM -0800, Devin Carraway wrote:
> > mysql-dfsg-5.0 / CVE-2008-4098
> >   Devin, you prepared the DSA. Since the upstream release is much more recent than
> >   Lenny and won't migrate, can you prepare an update for Lenny/testing-proposed-updates?

Proposed upload is here -- given the broad use of the package and the
consequences of a mistake, can someone give it a look over?

http://devin.com/debian/security/mysql-dfsg-5.0_lenny.debdiff
http://devin.com/debian/security/mysql/lenny/

> > pidgin / CVE-2008-2955, CVE-2008-2956
> >   Patch status unclear.

I reviewed the patches; upstream claims that CVE-2008-2955 is already fixed by
the version in Lenny; subsequent changes have improved protocol consistency
following an attack but are not overtly security-relevant.  The only extant
patch for CVE-2008-2956 was submitted by the reporter, and has not been
accepted either by upstream or by the Debian maintainer.  Given the difficulty
of real-world exploitation and the modest consequences thereof, I think we're
better off letting this one be.


-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081126/4383700e/attachment.pgp 


More information about the Secure-testing-team mailing list