* Salvatore Bonaccorso:
Florian, I just have copied it, could you activate the remaining part
of the cronjob too?
It seems to be working as expected. Thanks!
___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
* Salvatore Bonaccorso:
Just checked, sectracker role account user is already member of the
project as deveolper so should be able to set it up.
Oh, I didn't know we already had a role account. I don't know the
details for the sectracker account, so I'll try to set up things using
* Salvatore Bonaccorso:
Just checked, sectracker role account user is already member of the
project as deveolper so should be able to set it up.
Thanks, the cron job is running, except for the “bts-update list”.
I'm worried that strange things happen if I initialize it with an
empty list file.
* Joey Hess:
As I've leaving Debian, my cron job on moszumanska.debian.org will stop
running pretty soon.
Thanks for your work, this heads-up, and good luck.
Here it is:
# security update and testing bts usertag sync
14 9,21 * * * cd ~/secure-testing svn cleanup svn up -q; cd data
* Florian Weimer:
Modified: lib/python/sectracker/analyzers.py
===
--- lib/python/sectracker/analyzers.py2011-03-04 19:44:29 UTC (rev
16301)
+++ lib/python/sectracker/analyzers.py2011-03-04 19:45:26 UTC (rev
* Moritz Muehlenhoff:
AFAICT the only purpose of data/removed-packages is to mark all the
packages, which have been removed from all suites, since otherwise
the packages would show up on
http://idssi.enyo.de/tracker/data/unknown-packages
(which is useful to spot typos in source package
* Michael S. Gilbert:
right, but debian now has almost all free software firmwares for those
devices, and hence those threats are mostly nullified, right?
Only for firmware which is not that firm and lost if the power is
gone. If the manufacturer hasn't got rid off flash to store the
* Kurt Roeckx:
For ClamAV and ClamAV-derived packages, I'd prefer to see uploads of
new upstream versions to stable-security or stable-proposed-updates
(that is, remove it from volatile).
I think one the reason why clamav is in volatile is that the engine
might need updating to detect new
* Joerg Jaspert:
As I don't see much reason in setting sid overrides for stable or
testing, I have changed it to use what is actually in use for the
distribution, ie etch for stable, lenny for testing currently.
Thanks. However, we didn't have to deal with the overrides business
in the past,
-security; urgency=high
+
+ * Fix minor denial of service in CH/HINFO processing (CVE-2008-5277)
+
+ -- Florian Weimer [EMAIL PROTECTED] Wed, 03 Dec 2008 16:48:01 +0100
+
pdns (2.9.20-8+etch1) stable-security; urgency=high
* Fixes security issue CVE-2008-3337 as announced in
diff --git
* Nico Golde:
Hi,
* Florian Weimer [EMAIL PROTECTED] [2008-12-03 19:20]:
version 2.9.21.1.0-1 fixed a minor denial of service condition in
pdns-server. It's currently not in testing. Please arrange for a
transition of the unstable version, or use the patch below I prepared
for the version
Some of you might be interested in the tiny program servinvoke which
is required to run the tracker web service. There's now a public GIT
repository containing its source code:
http://git.enyo.de/fw/debian/servinvoke.git/
I will add some support scripts to the secure-testing Subversion
* Raphael Geissert:
I believe it is better to have a Secunia ID than no other
information to easily identify the issue. Or should I stop asking
for that?
We should really concentrate on CVEs. The United States haven't got a
notion of database copyright, so their naming service won't have any
Do we need this functionality?
I'm working on some tracker improvements, and the (limited) ability to
track CVEs based on binary packages makes progress rather difficult.
___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
* Thijs Kinkhorst:
Why don't we just reassign this bug to the BTS and have request that
changed so that it forwards those bugs to the specific place? It's the
canonical place, it's one place to change when changes are needed and it
will work regardless of which bug reporting method someone
* Nico Golde:
Thanks very much for finding that. I did not see it when
checking the xemacs code because the code is located
somewhere else and the code itself is also different. This
also means that we have to write our own patch or do you
have one?
Sorry, I haven't. The easiest route
Is it possible to prepare embargoed updates by an upload to the
embargoed queue on klecker? I guess the distribution should be
testing-security, right?
___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
CVE-2007-5695 (command.php in SiteBar 3.3.8 allows remote attackers to
redirect users ...)
- - sitebar unfixed (low; bug #448690)
+ - sitebar unfixed (unimportant; bug #448690)
+ NOTE: there is no real exploit scenario
I disagree with that assessment. Open redirectors pose at
CVE-2007-5049
REJECTED
- {DTSA-62-1}
- - poppler 0.5.4-6.2 (medium; bug #443903)
- - gpdf removed
- - xpdf 3.02-1.2 (medium; bug #443906)
- - kdegraphics 4:3.5.7-4 (medium; bug #444015)
- - koffice 1:1.6.3-3 (medium; bug #444014)
- - pdftohtml removed
-
* Nico Golde:
looking at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444982
which seems to be a valid security flaw, how do I add this
to the tracker that it will be displayed as TEMP-XXX...
item?
Use CVE-2007- and put the description in brackets ([]).
* Nico Golde:
* Moritz Muehlenhoff [EMAIL PROTECTED] [2007-09-09 21:49]:
On Sun, Sep 09, 2007 at 03:48:41PM +0200, Nico Golde wrote:
[...]
+CVE-2007-4752 [Unsafe fallback to trusted X11 cookie in openssh]
What happened to this CVE? Mitre doesn't know about it any
longer.
It
Well, I couldn't make it to debconf, but I probably should contribute
a few notes anyway.
Status of the tracker software
--
As most of you probably know, the web service
(http://security-tracker.debian.net/, http://idssi.enyo.de/tracker/)
works by watching for
* Francesco Poli:
Is the tracker[1] consistent with DSA 1301-1?
What's wrong?
The tracker doesn't know yet about DSA-1301-1. An update should show
up shortly.
___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
CVE-2007-2849 (KnowledgeTree Document Management (aka KnowledgeTree Open
Source) ...)
- NOT-FOR-US: KnowledgeTree
+ - knowledgetree unfixed
+ TODO: file bug
Oops. Does it have Active Directory support? Or should the advisory
actually read LDAP instead?
* Stefan Fritsch:
The data which vulnerability is fixed in which version is pushed to
the tracker (by the svn commit). However, the data which versions are
in which distributions gets only updated when the tracker downloads
the Packages files, which does not happen too often (once a day?).
To pick some random example, http://www.kb.cert.org/vuls/id/754281
lists Debian's status as Unknown, even though Debian was notified
last year.
What would be necessary to ensure that CERT/CC publishes accurate
information regarding Debian in their vulnerability notes?
Presumably, they've tried to
add support for etch volatile
Thanks, I've put that into production. It seems that the Package
files have been downloaded successfully and will be incorporated after
the next commit.
___
Secure-testing-team mailing list
* Thijs Kinkhorst:
- CVE-2007-1325 is a workaround for PHP issue CVE-2006-1549. That issue has
been fixed in PHP already, or would need to be fixed there. It's not an issue
for phpmyadmin specifically, and should be regarded as not relevant for us.
Thanks for the explanation.
-
* Francesco Poli:
At the same time, DSA 1283-1[4] claims that this vulnerability is fixed
in version 5.2.0-11.
I've looked at the source package, and the patch is contained in it
and also applied. So I've corrected the tracker to indicate that
5.2.0-11 is indeed fixed.
Thanks for reporting
* Neil McGovern:
On Sun, Apr 15, 2007 at 09:51:48AM +, Florian Weimer wrote:
Log:
* bin/tracker_service.py:
Update DTSA candidates page for the etch release
While we're at it, could we drop woody from the tracker? :)
Oooh.
I think I've removed it. We'll see if it's back after
data/CVE/list:25913: source and binary package annotations
data/CVE/list:25913: source package: fetchmail
data/CVE/list:25913: binary package: fetchmail-ssl
data/CVE/list:38168: source and binary package annotations
data/CVE/list:38168: source package: arj
data/CVE/list:38168: binary
data/DSA/list:2488: binary package 'unarj' used with release 'woody'
data/DSA/list:2820: binary package 'freenet6' used with release 'woody'
data/DSA/list:3968: binary package 'apache-perl' used with release 'woody'
Look, ma, down to three packages!
But I think I've fixed it. The last test
I've tried to make the necessary adjustments to the tracker, but I
haven't been able to test them yet. The database update process is
running, and I feel too tired to wait for its result.
I expect the testing/stable summary pages to be wrong (they should
show the data for stable/oldstable
* Moritz Muehlenhoff:
CVE-2007-1614 (Stack-based buffer overflow in the zzip_open_shared_io
function in ...)
- NOT-FOR-US: ZZIPlib
+ - zziplib unfixed (unknown)
+ NOTE:
http://www.securitylab.ru/forum/read.php?FID=21TID=40858MID=326187#message326187
+ TODO: Needs to be
* Francesco Poli:
For instance, the report[2] for CVE-2007-0981 states:
|
| iceweasel (PTS)etch 2.0.0.1+dfsg-2 vulnerable
|sid 2.0.0.2+dfsg-3 fixed
|
On the other hand, the testing migration checker[3] says:
|
| * iceweasel has the same version in unstable
* Francesco Poli:
I think these three vulnerabilities should be listed as fixed in
testing-security.
Or am I wrong?
No, I think we missed the uploads to testing-proposed-updates. Fixed.
___
Secure-testing-team mailing list
Here's my old draft for an official statement regarding PHP safe mode
bugs (or more, generally speaking, bugs which can only be exploited by
malicious or vulnerable PHP scripts). Recent events suggest that we
should publish something to describe the focus of our security
support.
Things that
* Moritz Muehlenhoff:
remove all traces of firefox (actually I think this is a bug in the tracker)
I concur; we shouldn't lose the security history of firefox.
Yes, this is in fact a bug, or rather a design defect.
Florian, please fix so that we can revert r5450 afterwards.
If we want to
What has happened to http://secure-testing.debian.net/? Has this web
site moved elsewhere?
___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
* Alex de Oliveira Silva:
CVE-2007- [libgtop2 glibtop_get_proc_map_s() Buffer Overflow]
- - libgtop2 2.14.4-3 not-affected
[etch] - libgtop2 2.14.4-2 (medium)
[sarge] - libgtop 2.6.0-4 (medium)
NOTE: sarge - libgtop2 2.6.0-4 sent patch to secure team.
Why is
* Alex de Oliveira Silva:
+CVE-2007- [Denial of Service Vulnerabilities]
+ - squid 2.6.5-3 (low)
2.6.5-3 is a translation update. Why do you think this version fixed
a security bug?
___
Secure-testing-team mailing list
* Moritz Muehlenhoff:
- Severity ratings have been repeatedly picked up by news sites
taking it as an official position of the Debian project and
indirectly the Security Team. This means that severity ratings
should only be added with great care. Not every issue needs
a severity
* Stefan Fritsch:
CVE-2006-6104 (The System.Web class in the XSP for ASP.NET server 1.1
through 2.0 in ...)
- TODO: check
+ NOT-FOR-US: System.Web class in the XSP for ASP.NET server
*ahem* We've got ASP.NET these days. This is a bug which affects
Mono.
* Alec Berryman:
[EMAIL PROTECTED] on 2006-09-29 14:34:03 +0200:
The error message was:
data/CVE/list:10727: expected package entry, got: '- gaim-encryption
3.0~beta5-3 (bug #337127)'
make: *** [all] Error 1
Does the tracker not support ~ in version numbers, or did I make a
typo I'm
* Stefan Fritsch:
On Wednesday 13 September 2006 21:45, Moritz Muehlenhoff wrote:
Stefan Fritsch wrote:
- CVE-2004-1617 lynx fix from DSA uploaded to unstable (are these
still not propagating automatically?)
No, they don't, it's a known dak bug. So in the future we should
file bugs in
* Julien Goodwin:
For some reason on my fully up to date etch system I get the following
matches in the e-mail, when I click the attached link they all say etch
isn't vulnerable (and I can't see anything obvious wrong with my system).
Could you post the output of debsecan --suite etch
* Francesco Poli:
[servinvoke is still unpublished]
If not, why?
I'm still looking for a replacement. I don't want to add anything to
the pool of insecure C programs. servinvoke already had a buffer
overflow bug. 8-/
___
Secure-testing-team
* Joey Hess:
Micah Anderson wrote:
I'm not actually sure what it is now, it might just need someone to
request it again, start the threads asking why it hasn't happened yet.
Setting up a debian.net domain is completly automated, it's just a
matter of sending a mail to the control bot.
Ah,
* Francesco Poli:
Now, I'm giving a look at http://svn.debian.org/wsvn/secure-testing/
I cannot find many copyright or permission notices around...
The source files which actually contain valuable IP has the GPL
boilerplate.
The tracker_service.py file is a border case; it depends on an
* Micah Anderson:
I'm not actually sure what it is now, it might just need someone to
request it again, start the threads asking why it hasn't happened
yet. There was some discussion abut how the data should be hosted
on official debian machines, and that there was some optimizations
that
* Javier Fernández-Sanguino Peña:
Yes, all recent work has been put into idssi.enyo.de/tracker.
Any chance that this information can be placed up at www.debian.org? What do
you guys need for that to happen? [1]
The archive metadata mirror currently needs about 500 MB of space (~15
MB per
* Alec Berryman:
* CVE-2006-3127 (libnss in mozilla): after discussing with micah on irc,
determined that it is a bug with mozilla nss but that the affected version
is
unreleased and not in Debian.
Note that a *lot* of DoS bugs were recently fixed in NSS:
* Julien Goodwin:
This should be listed as fixed for etch and sid as well from version
0.8.6d-1 (First version where adodb code removed from source tarball).
AFAICT, this has been fixed.
Also:
CVE-2006-0456 kernel: strlen_user() DoS on s390
http://idssi.enyo.de/tracker/CVE-2006-0456
-
* Francesco Poli:
Probably, you should use the SQLite database directly,
instead of parsing web pages.
Well, have I (remote) access to the SQLite database?!?
Not remote, but you should be able to build one with a couple of
make invocations. Something like this:
make update-packages
* Francesco Poli:
OK, that means that my script must be replaced by something else that
pulls the relevant data from [0], rather than from [1]... :-/
Which script? Probably, you should use the SQLite database directly,
instead of parsing web pages.
* Djoume SALVETTI:
But we also need to manually add some
[sarge] - mozilla-firefox not-affected
to track sarge status (when we have some info) don't we?
Yes, and you should add an explanation like only 1.5 is affected in
parentheses.
___
* Micah Anderson:
-CVE-2006- [librsvg2 crash on certain svg files]
+CVE-2006-2148 [librsvg2 crash on certain svg files]
- cgiirc unfixed (bug #365680; medium)
[sarge] - cgiirc unfixed (bug #365680; medium)
CVE-2006-2133 (SQL injection vulnerability in index.php in BoonEx
* Micah Anderson:
I mostly am not able to... However, I did want to suggest some wording
changes to the front page so we could get the tracker underneath a
debian.org address (as discussed at the previous meeting).
Thanks/ I've incorporated your changes. I've also added a Reporting
problems
* martin f. krafft:
Could you be a little more explicit as to what's meant with web
frontend?
http://idssi.enyo.de/tracker/
___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
* Moritz Muehlenhoff:
remove mydns dupe
-CVE-2006- [mydns remote DoS]
- - mydns 1.1.0+pre-3 (medium)
CVE-2006-0353 (unix_random.c in lshd for lsh 2.0.1 leaks file descriptors
related to ...)
{DSA-956-1}
- lsh-utils 2.0.1cdbs-4 (low; bug #349303)
@@ -3718,7 +3716,7
* Martin Schulze:
I've taken a look at the patch, and several lines contain changes not
suitable for a security update, i.e. fix different potential bugs or
change the code. I'm attaching the patch. More eyes checking would
be appreciated.
This one seems only safe when magic_quotes_gpc is
Hi,
I intend to send a real debsecan announcement to debian-devel and
debian-security. A draft is included below. Comments are
appreciated.
Florian
To: debian-devel, debian-security
Reply-To: debian-security
Subject: [ANN] Debian Security Analyzer
It is my pleasure to announce the
* Martin Zobel-Helas:
one should mention this is only about open availible security bugs for
stable.
Sorry, I don't undertand what you are trying to say. Perhaps you mean
weeding out packages which are incorrectly listed as vulnerable?
___
* Moritz Muehlenhoff:
Exactly. This is why you should list the version which started
linking dynamically against poppler as the fixed version. It is
more or less necessary if there ever will be a DSA released for this
issue.
There'll be a DSA soon, but I fail to see why this should cause
* Anthony DeRobertis:
Moritz Muehlenhoff wrote:
Modified: data/CVE/list
===
--- data/CVE/list2006-01-14 17:00:45 UTC (rev 3296)
+++ data/CVE/list2006-01-15 12:03:20 UTC (rev 3297)
@@ -2826,6 +2826,7 @@
CVE-2005-3627
* Moritz Muehlenhoff:
[distribution-tags] - packagename no-dsa (This explains, why there is no
DSA)
I'm wondering if this is the correct format. Wouldn't it make sense
to generate a web page for http://www.debian.org/security/ from this
data? If yes, you might want to have a bit more space
* Moritz Muehlenhoff:
+[21 Dec 2005] DSA-924-1 nbd - buffer overflow
+ {CVE-2005-4354}
Is this entry the correct one? The DSA references a Sylpheed issue,
which is clearly wrong.
___
Secure-testing-team mailing list
* Moritz Muehlenhoff:
Florian Weimer wrote:
* Moritz Muehlenhoff:
+CVE-2005- [Another fib_lookup DoS]
+ - linux-2.6 unfixed
+CVE-2005- [DoS in i82365 driver]
+ - linux-2.6 unfixed
Would it be possible to add a cross-reference in such cases,
preferably to MARC, or a bug
* Stefan Fritsch:
What's your problem with this one? It's there, as far as I can
tell.
Shouldn't it appear on
http://idssi.enyo.de/tracker/status/release/oldstable ?
It doesn't.
It seems as if stunnel was in woody/non-US. I incorrectly assumed
that woody already had crypto-in-main. I'm
* Moritz Muehlenhoff:
CVE-2004-1347 (X Display Manager (XDM) on Solaris 8 allows remote attackers
to cause ...)
- NOT-FOR-US: xdm on Solaris
+ -xdm not-affected (xdm on Solaris)
IIRC, this issue had already been fixed in XFree86 as an ordinary bug
at that time it was rediscovered
I've hacked something to check installed packages against the
vulnerability database. It's similar to the tsck script, but should
handle all package annotations correctly. Most of the logic is
server-side; debsecan downloads a compressed, release-specific
vulnerability list.
Currently, there's
* Stefan Fritsch:
Hi Florian,
I've hacked something to check installed packages against the
vulnerability database.
this is nice.
Thanks.
A suggestion: it should not print packages that are in state
deinstall ok config-files
Fixed, by skipping packages which are not in the installed
* Moritz Muehlenhoff:
+CVE-2005- [Another fib_lookup DoS]
+ - linux-2.6 unfixed
+CVE-2005- [DoS in i82365 driver]
+ - linux-2.6 unfixed
Would it be possible to add a cross-reference in such cases,
preferably to MARC, or a bug number? Otherwise, it's hard to figure
out which
* Martin Zobel-Helas:
I asked Joey on [EMAIL PROTECTED] about the current status of the stable
kernels. He stated, that most flaws were just fixed but not extended
explaination was given. What he said what can be done to help him is to
give long term explainations for every CVE/CAN fixed in
Here's a message I received from NIST. I don't know if the issue has
been resolved yet.
From: [EMAIL PROTECTED]
Subject: National Vulnerability Database (New Vulnerability Outage)
To: Multiple recipients of list [EMAIL PROTECTED]
Date: Mon, 14 Nov 2005 14:03:33 -0500 (EST)
Message-Id: [EMAIL
* Florian Weimer:
Here's a message I received from NIST. I don't know if the issue has
been resolved yet.
Here's the update I've just received. So everything should be back to
normal soon.
From: [EMAIL PROTECTED]
Subject: National Vulnerability Database (Operational Status and New Features
* Neil McGovern:
-CVE-2002-0683 (Directory traversal vulnerability in Carello 1.3 allows
remote ...)
+CVE-2001-0683 (Directory traversal vulnerability in Carello 1.3 allows
remote ...)
NOT-FOR-US: no_package
This is an accident, I supose. I will revert it.
* Micah Anderson:
+CVE-2005-3239
+
+ The OLE2 unpacker allows remote attackers to cause a denial of service
+ by sending a DOC file with an invalid property tree, triggering
+ an infinite recursion.
+
+ A possible denial of service has been found in
+ libclamav/tnef.c (IDEF1169)
On Tue, Oct 25, 2005 at 05:35:19PM +0200, Florian Weimer wrote:
Is the issue described below already on your radar screen? I couldn't
find it in the relevant files. AFAICT, no CVE name has been assigned.
Its the first I've seen of it, but that doesn't mean much.
Which GIT tree
Is the issue described below already on your radar screen? I couldn't
find it in the relevant files. AFAICT, no CVE name has been assigned.
commit 4717ecd49ce5c556d38e8c7b6fdc9fac5d35c00e
Author: Patrick McHardy [EMAIL PROTECTED]
Date: Mon Jul 18 06:52:50 2005 +0200
[PATCH] Fix
* Moritz Muehlenhoff:
+[20 Oct 2005] DSA-867-1 module-assistant - insecure temporary file
+ {CVE-2005-3121}
+[woody] - module-assistant not-affected (not part of Woody)
Thanks for adding these tags.
I'm not sure if not-affected tags are really necessary when the
package is not
* Moritz Muehlenhoff:
In general, the will be fixed soon part for testing/unstable is much
harder. 8-)
Ahh, I thought you wanted to add manual Sarge/Woody tracking for all
the entries in CAN/list.
Most of them are either unfixed, or there is a DSA for them. In some
cases, the vulnerable
* Moritz Muehlenhoff:
I think the basic principle is useful and needed. IMO the fix for
sid should be exclusively kept in CAN/list and not further
duplicated in DSA/list, as these tend to get out of sync, when
people forget to adapt them in DSA/list as well.
And the fix for etch should be
* Moritz Muehlenhoff:
+CAN-2005- [Missing safemode checks in PHP's _php_image_output functions]
+ - php5 5.0.5-2
+ - php4 4:4.4.0-3
According to Debian's stable security bug fixing policy, these aren't
security vulnerabilities. Shall we track them nevertheless?
* Moritz Muehlenhoff:
According to Debian's stable security bug fixing policy, these aren't
security vulnerabilities. Shall we track them nevertheless?
As this hasn't been specifically publicly announced, we should do so?
I don't know. I've been told it's the policy, and I've documented in
* Joey Hess:
Moritz Muehlenhoff wrote:
consider the following case: Package foo has a bug, the bug affects stable
or oldstable, but the fix for sid/testing consists in the removal of foo
or it has already been removed for other reasons.
not-affected doesn't fit, because older releases of
* Moritz Muehlenhoff:
+[30 Sep 2005] DSA-831-1 mysql-dfsg-4.1 - several
+ { CAN-2005-2558 }
+ - mysql-dfsg-4.1 4.1.14-2 (medium)
+ - mysql-dfsg-5.0 5.0.11beta-3 (medium)
+ NOTE: fixed in testing at time of DSA
Uhm, testing seems to have 4.1.11a-4, same as sarge. So I
* Joey Hess:
CAN-2005-2796 (The sslConnectTimeout function in ssl.c for Squid
2.5.STABLE10 and ...)
- {DSA-809-1}
Ahem, what's going on here? Is this related to the changes in r2245?
___
Secure-testing-team mailing list
* Moritz Muehlenhoff:
CAN-2005-3011 (texindex in texinfo 4.7 and earlier allows local users to
overwrite ...)
- texinfo unfixed (bug #328265; low)
Please use some characters which cannot be part of version numbers,
for example:
- texinfo unfixed (bug #328265; low)
Also for
* Moritz Muehlenhoff:
- The developer's reference entry wrt handling security bugs should
be updated/extended, it's currently too terse and lacks important
information.
One big problem is that it gives developers the impression that *all*
security fixes should be sent privately to the
This entry
CAN-2005-1766 (Heap-based buffer overflow in rtffplin.cpp in RealPlayer 10.5
...)
NOTE: not-for-us (RealPlayer)
is incorrenct because Helix Player is affected as well:
http://service.real.com/help/faq/security/050623_player/EN/
I will fix this entry. Would someone browse
Index: secure-testing/data/CAN/list
===
--- secure-testing.orig/data/CAN/list 2005-09-10 16:28:02.0 +0200
+++ secure-testing/data/CAN/list2005-09-10 16:31:21.0 +0200
@@ -1611,7 +1611,7 @@
CAN-2005-2404 (SQL
Index: secure-testing/data/CAN/list
===
--- secure-testing.orig/data/CAN/list 2005-09-10 16:33:36.0 +0200
+++ secure-testing/data/CAN/list2005-09-10 16:34:50.0 +0200
@@ -11933,7 +11933,7 @@
- star
93 matches
Mail list logo
