[Secure-testing-team] Lenny security bug sprint
devin at debian.org
Wed Nov 26 08:50:19 UTC 2008
On Mon, Nov 17, 2008 at 01:13:23PM -0800, Devin Carraway wrote:
> > mysql-dfsg-5.0 / CVE-2008-4098
> > Devin, you prepared the DSA. Since the upstream release is much more recent than
> > Lenny and won't migrate, can you prepare an update for Lenny/testing-proposed-updates?
Proposed upload is here -- given the broad use of the package and the
consequences of a mistake, can someone give it a look over?
> > pidgin / CVE-2008-2955, CVE-2008-2956
> > Patch status unclear.
I reviewed the patches; upstream claims that CVE-2008-2955 is already fixed by
the version in Lenny; subsequent changes have improved protocol consistency
following an attack but are not overtly security-relevant. The only extant
patch for CVE-2008-2956 was submitted by the reporter, and has not been
accepted either by upstream or by the Debian maintainer. Given the difficulty
of real-world exploitation and the modest consequences thereof, I think we're
better off letting this one be.
Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081126/4383700e/attachment.pgp
More information about the Secure-testing-team