On Sat, 10 Oct 2009 14:50:39 -0500 Raphael Geissert wrote:
Hi Michael,
Michael S Gilbert wrote:
[...]
i am about to do a mass bug filing on the prototypejs embeds, and want
to make sure that it is ok to do so ahead of time since it involves 32
separate packages that are affected, which
On Fri, 11 Sep 2009 18:50:27 +0200, Giuseppe Iuculano wrote:
Hi,
local screen lock bypass vulnerability in xscreensaver is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.
However it would be nice if this could get
Guiseppe,
in the process of doing the embedded code copies triage, i've come
across a lot of cases where tracking for kompozer is not done. i
understand that this package is relatively new, but since it is derived
from existing code, it should be checked retroactively for
vulnerabilities. it
On Sun, 30 Aug 2009 19:57:47 +0200 Moritz Muehlenhoff wrote:
On Sun, Aug 30, 2009 at 05:09:16PM +, Michael Gilbert wrote:
Author: gilbert-guest
Date: 2009-08-30 17:09:16 + (Sun, 30 Aug 2009)
New Revision: 12708
Modified:
data/CVE/list
Log:
beginning of embedded code
On Sun, 30 Aug 2009 21:40:11 +0200 Moritz Muehlenhoff wrote:
oh, and wouldn't a complete fix for an embedded code copy involve a
patch that strips the embedded code from the debian source package?
maybe this isn't the current state of play, but we should probably push
for this.
On Sun, 30 Aug 2009 23:02:29 +0200 Moritz Muehlenhoff wrote:
On Sun, Aug 30, 2009 at 03:52:19PM -0500, Raphael Geissert wrote:
Michael Gilbert wrote:
Author: gilbert-guest
Date: 2009-08-30 18:28:44 + (Sun, 30 Aug 2009)
New Revision: 12710
Modified:
On Sun, 30 Aug 2009 23:02:29 +0200 Moritz Muehlenhoff wrote:
On Sun, Aug 30, 2009 at 03:52:19PM -0500, Raphael Geissert wrote:
Michael Gilbert wrote:
Author: gilbert-guest
Date: 2009-08-30 18:28:44 + (Sun, 30 Aug 2009)
New Revision: 12710
Modified:
On Mon, 31 Aug 2009 00:01:08 +0200 Giuseppe Iuculano wrote:
Michael S Gilbert ha scritto:
fyi, here is the output of ldd for xulrunner 1.9.0.13:
$ ldd /usr/lib/xulrunner-1.9.1/xulrunner-bin
This is for xulrunner-1.9.1.
libxul.so = not found
Try with /usr/lib/xulrunner-1.9
On Mon, 31 Aug 2009 00:01:08 +0200 Giuseppe Iuculano wrote:
Michael S Gilbert ha scritto:
fyi, here is the output of ldd for xulrunner 1.9.0.13:
$ ldd /usr/lib/xulrunner-1.9.1/xulrunner-bin
This is for xulrunner-1.9.1.
libxul.so = not found
Try with /usr/lib/xulrunner-1.9
On Mon, 31 Aug 2009 00:23:00 +0200 Nico Golde wrote:
Hi,
* Michael Gilbert gilbert-gu...@alioth.debian.org [2009-08-30 19:06]:
Author: gilbert-guest
Date: 2009-08-30 17:09:16 + (Sun, 30 Aug 2009)
New Revision: 12708
Modified:
data/CVE/list
Log:
beginning of embedded code
, at 10:00 PM, Michael S Gilbert wrote:
hello,
i sent the following mail a few weeks ago, and have not heard anything
yet. security of your downstream vendors is of utmost importance for
webkit to gain traction as a trustable browser engine.
if downstreams are not going to be able
On Thu, Aug 27, 2009 at 12:20 AM, Steffen Joeris wrote:
Just a note, I haven't looked at the patch.
The distribution field for point release updates should either say stable or
stable-proposed-updates. Only uploads targeted for security.debian.org
should have stable-security in the
Hello,
I'm looking for a sponsor for an spu update for xscreensaver in lenny.
Debdiff is attached.
The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/x/xscreensaver
- Source repository: deb-src http://mentors.debian.net/debian unstable
main contrib
On Wed, 26 Aug 2009 19:29:10 +0200, Moritz Muehlenhoff wrote:
You should redirect the TODOs in a file separate from CVE/list,
thanks for looking at this. i personally think that the cve list is
the best destination. the reasoning is that cve TODOs are good
indicators of what needs worked on
On Wed, 26 Aug 2009 20:01:42 +0200, Moritz Muehlenhoff wrote:
On Wed, Aug 26, 2009 at 01:59:58PM -0400, Michael S. Gilbert wrote:
On Wed, 26 Aug 2009 19:29:10 +0200, Moritz Muehlenhoff wrote:
You should redirect the TODOs in a file separate from CVE/list,
thanks for looking at this. i
On Wed, 26 Aug 2009 20:24:36 +0200, Moritz Muehlenhoff wrote:
On Wed, Aug 26, 2009 at 02:25:19PM -0400, Michael S. Gilbert wrote:
On Wed, 26 Aug 2009 20:01:42 +0200, Moritz Muehlenhoff wrote:
On Wed, Aug 26, 2009 at 01:59:58PM -0400, Michael S. Gilbert wrote:
On Wed, 26 Aug 2009 19:29:10
On Wed, 26 Aug 2009 14:06:24 -0500, Raphael Geissert wrote:
Michael S. Gilbert wrote:
[...]
btw, my script is already smart enough to exclude fixed embeds; it uses
the unfixed/removed/unknown/itp tags in embedded-code-copies to
determine if an issue is open or not. so as long
On Wed, 26 Aug 2009 21:04:08 +0200, Moritz Muehlenhoff wrote:
On Wed, Aug 26, 2009 at 02:55:03PM -0400, Michael S. Gilbert wrote:
On Wed, 26 Aug 2009 20:24:36 +0200, Moritz Muehlenhoff wrote:
On Wed, Aug 26, 2009 at 02:25:19PM -0400, Michael S. Gilbert wrote:
On Wed, 26 Aug 2009 20:01:42
On Thu, 27 Aug 2009 13:54:10 +1000 Steffen Joeris wrote:
On Thu, 27 Aug 2009 01:38:18 pm Michael S Gilbert wrote:
Hi,
A new lenny release is coming soon and there are some open security
issues in poppler that I have fixed. Attached is the debdiff of the
changes.
The package can
On Sun, 23 Aug 2009 15:06:53 -0400, Michael S Gilbert wrote:
is it possible to change the wsvn view to use a fixed-width font? the
table i just created is hardly readable with the default variable-width
font:
http://svn.debian.org/wsvn/secure-testing/doc/narrative_introduction?op=filerev
is it possible to change the wsvn view to use a fixed-width font? the
table i just created is hardly readable with the default variable-width
font:
http://svn.debian.org/wsvn/secure-testing/doc/narrative_introduction?op=filerev=0sc=0
which is linked to from the security-tracker and other pages.
hi all,
i'm planning on fixing up some aspects of the tracker, so i have
started by figuring out how to get './bin/test-web-server' up and
running.
a couple of things are required to do this. first of all you need to
make sure you have the python-apsw and thttpd packages installed, and
you need
On Sun, 23 Aug 2009 17:22:43 -0400 Michael S Gilbert Michael wrote:
however, it is not populated with any of the secure-testing data (i.e.
skeletons of the pages are there, but affected packages, version info,
etc are not). any ideas on what i need to do differently to get
On Mon, 24 Aug 2009 00:59:44 + Michael Gilbert Michael wrote:
introduction of inject-embedded-code-copies
hello, i've noticed that embedded code copies can be troublesome to
track, so i've developed a script that automatically adds TODOs for
known code copies to the CVE list.
i implemented
On Mon, Aug 17, 2009 at 11:25 PM, Steffen Joeris wrote:
On Mon, 17 Aug 2009 04:15:01 pm Michael S Gilbert wrote:
I am looking for a sponsor for a security update to xscreensaver in
unstable. Attached is the debdiff for your review.
The package can be found on mentors.debian.net:
- URL: http
5.05-3+nmu1 package for unstable:
debdiff attached.
xscreensaver.debdiff
Description: Binary data
___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
dear maintainer,
the security team has applied an nmu for xscreensaver in unstable and
will soon for experimental also. see attached debdiffs.
regards,
michael gilbert
xscreensaver.debdiff
Description: Binary data
xscreensaver-experimental.debdiff
Description: Binary data
On Thu, 20 Aug 2009 10:54:13 +1000 Steffen Joeris wrote:
Uploading that one now, but I can't find the experimental one anymore. :(
Also, you'll need to send the full debdiff to the bugreport as required by
the
NMU rules.
mentors will only allow me to upload one package with the same name at
I am looking for a sponsor for a security update to xscreensaver in
unstable. Attached is the debdiff for your review.
The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/x/xscreensaver
- Source repository: deb-src http://mentors.debian.net/debian
On Fri, Aug 14, 2009 at 4:16 PM, Giuseppe Iuculano wrote:
--- data/DSA/list 2009-08-14 19:31:52 UTC (rev 12594)
+++ data/DSA/list 2009-08-14 20:16:54 UTC (rev 12595)
@@ -2055,7 +2055,7 @@
{CVE-2007-0005 CVE-2007-0958 CVE-2007-1357 CVE-2007-1592}
[etch] - linux-2.6
On Fri, Aug 14, 2009 at 5:16 PM, Michael S
Gilbertmichael.s.gilb...@gmail.com wrote:
Because in DSA-1285-1 the security team uploaded a new upstream security
release, 2.0.10-1, and that issue was fixed in 2.1.3 and 2.0.10 (legacy
version).
ok, i can't find that claimed in the 2.0.10 etch
On Fri, Aug 14, 2009 at 5:29 PM, Giuseppe Iuculanogiuse...@iuculano.it wrote:
Yes, I checked against the PoC, but also upstream confirmed[1] that
[1]http://wordpress.org/development/2007/04/wordpress-213-and-2010/
i still don't see CVE-2007-4483 claimed fixed there. so the
difference bettween
On Thu, 13 Aug 2009 17:24:23 +0200 Nico Golde wrote:
P.S. by fixing bugs I meant in unstable
Just realized that this may sound a bit harsh. Sorry. But
this is really not the place where help is needed, picking
up upstream security patches and applying them isn't the
hard part. But there are a
On Wed, 12 Aug 2009 14:21:33 +0200, Nico Golde wrote:
Hi,
* Michael S. Gilbert michael.s.gilb...@gmail.com [2009-08-12 11:58]:
On Wed, 12 Aug 2009 06:20:25 +0200 Giuseppe Iuculano wrote:
Michael S. Gilbert ha scritto:
although, the question is, what can the attacker do once
On Tue, 11 Aug 2009 18:43:00 +, Nico Golde wrote:
Author: nion
Date: 2009-08-11 18:43:00 + (Tue, 11 Aug 2009)
New Revision: 12566
Modified:
data/CVE/list
Log:
track new wordpress issue
Modified: data/CVE/list
On Tue, 11 Aug 2009 20:45:32 +, Giuseppe Iuculano wrote:
Author: derevko-guest
Date: 2009-08-11 20:45:32 + (Tue, 11 Aug 2009)
New Revision: 12571
Modified:
data/CVE/list
data/ospu-candidates.txt
data/spu-candidates.txt
Log:
etch and lenny are not affected by wordpress
On Wed, 12 Aug 2009 06:20:25 +0200 Giuseppe Iuculano wrote:
Michael S. Gilbert ha scritto:
although, the question is, what can the attacker do once they have
access to a wordpress account?
Note that attacker do not have access to a wordpress account, he can only send
the reset
On Mon, 10 Aug 2009 18:58:17 +, Nico Golde wrote:
Author: nion
Date: 2009-08-10 18:58:17 + (Mon, 10 Aug 2009)
New Revision: 12553
Modified:
data/CVE/list
Log:
fix libxml annotation
Modified: data/CVE/list
===
On Mon, 10 Aug 2009 21:13:53 +0200, Florian Weimer wrote:
* Michael S. Gilbert:
right, but debian now has almost all free software firmwares for those
devices, and hence those threats are mostly nullified, right?
Only for firmware which is not that firm and lost if the power is
gone
On Sun, 9 Aug 2009 13:56:23 + Nico Golde wrote:
Author: nion
Date: 2009-08-09 13:56:23 + (Sun, 09 Aug 2009)
New Revision: 12531
Modified:
data/CVE/list
Log:
add todos for new items, please do that as well next time
Modified: data/CVE/list
On Sun, 9 Aug 2009 19:02:49 +0200 Nico Golde wrote:
Hi,
* Michael S. Gilbert michael.s.gilb...@gmail.com [2009-08-09 18:42]:
On Sun, 9 Aug 2009 13:56:23 + Nico Golde wrote:
Author: nion
Date: 2009-08-09 13:56:23 + (Sun, 09 Aug 2009)
New Revision: 12531
Modified
On Sun, 9 Aug 2009 21:11:44 +0200 Moritz Muehlenhoff wrote:
On Sun, Aug 09, 2009 at 01:34:21PM -0400, Michael S. Gilbert wrote:
On Sun, 9 Aug 2009 19:02:49 +0200 Nico Golde wrote:
Hi,
* Michael S. Gilbert michael.s.gilb...@gmail.com [2009-08-09 18:42]:
On Sun, 9 Aug 2009 13:56:23
On Sun, 9 Aug 2009 13:55:11 + Nico Golde wrote:
Author: nion
Date: 2009-08-09 13:55:11 + (Sun, 09 Aug 2009)
New Revision: 12530
Modified:
data/CVE/list
Log:
adjust xscreensaver impact, corner case
Modified: data/CVE/list
On Tue, 04 Aug 2009 12:57:07 +0200, Giuseppe Iuculano wrote:
How we should track them?
Maintainer closed #538240 because users must update the Adobe Flash Player
with:
update-flashplugin-nonfree --install
i'd say add issues/CVEs to the tracker for users' awareness, but don't
spend time
derived from ubuntu's 0.5.1 patch, here is a patch set for etch's
0.4.5. i am fairly certain all of these CVEs are addressed in this one.
note vulnerable code not present in etch for CVE-2009-0755/1188.
i also now see which are the specific patches for 0146/0147/0166, and
they are indeed not
hello,
i have developed a patched for lenny derived from ubuntu's patches for
a set of recent JBIG2 poppler/xpdf issues and an upstream patch for
2009-0755. see attached. here are my notes on the work:
- 2009-0756 already applied (pdf demonstrator did not crash evince
with vanilla
Hello,
Are you positive that CVE-2009-0146/0147/0166 were patched as claimed
in [1]? There is no indication yet that these are fixed upstream (no
specific commits), and there are no patches linked from mitre to
verify against. Can you shed some light on the situation? Thanks.
[1]
On Sat, 1 Aug 2009 11:58:57 +0200 Albert Astals Cid wrote:
CVE is the game of people that make money about bugs, most of the time they
don't even warn us nor give us PDF to try to reproduce the problems so i
mostly ignore CVE.
The only CVE i was informed of and we worked to solve was the
On Sat, 1 Aug 2009 02:50:20 -0400 Michael S Gilbert wrote:
i have developed a patched for lenny derived from ubuntu's patches for
a set of recent JBIG2 poppler/xpdf issues and an upstream patch for
2009-0755. see attached. here are my notes on the work:
- 2009-0756 already applied (pdf
On Mon, 27 Jul 2009 12:05:35 +1000 Steffen Joeris wrote:
On Mon, 27 Jul 2009 05:21:29 am Stefan Fritsch wrote:
Since I haven't been involved recently, nor was it my idea to organize
this BoF, I also dont have particular agenda items in mind. So, topics
for an agenda?
I have a few
hello,
i noticed that no one from debian is involved in the webkit security
team [1]. would it make sense to get someone on there to be able to
better deal with webkit-related security issues? there are currently
30+ disclosed but untriageable webkit CVEs in debian because of
webkit's
hello,
this issue is a target for the next etch/lenny point releases. please
coordinate with the security team to help them prepare updated
packages for the stable distributions. thanks.
mike
___
Secure-testing-team mailing list
On Thu, 25 Jun 2009 22:33:10 + Moritz Muehlenhoff wrote:
lynx supports neither Javascript nor multipart/form-data, so it's not
affected.
i am trying to track the deeper cause here (the fact that all of the
web browsers use a predictable PRNG), rather than the symptom (this
particular
On Sun, 21 Jun 2009 21:33:10 +0200 Moritz Muehlenhoff wrote:
On Fri, Jun 19, 2009 at 04:28:53PM -0400, Michael S. Gilbert wrote:
On Fri, 19 Jun 2009 22:13:32 +0200, Giuseppe Iuculano wrote:
Michael S. Gilbert ha scritto:
i don't see the need for this reversion. if the tracker has
On Fri, 19 Jun 2009 09:09:05 +, Giuseppe Iuculano wrote:
Author: derevko-guest
Date: 2009-06-19 09:09:04 + (Fri, 19 Jun 2009)
New Revision: 12161
Modified:
data/CVE/list
Log:
Reverted changes in packages accepted in stable/oldstable. Those entries have
to be changed
when
On Mon, 8 Jun 2009 15:12:16 +, Luciano Bello wrote:
Author: luciano
Date: 2009-06-08 15:12:16 + (Mon, 08 Jun 2009)
New Revision: 12073
Modified:
data/CVE/list
Log:
CVE-2009-0945 NOT-FOR-US
are you sure about this? most of the advisories say it is indeed
webkit-specific, but
On Wed, 20 May 2009 18:43:15 +0200, Thijs Kinkhorst wrote:
Let's just split this discussion, and continue with the discussion-in-NOTE
issue here.
i think NOTEs are a somewhat reasonable place to discuss conflicts of
opinion because it is centralized, connected to the issue at hand, and
Nico Golde wrote:
Besides that I guess whoever tagged that as a minor
issue didn't do so because of defeating ASLR with this bug
but because it's a bad idea to run memcached in untrusted
environments with the port open to the outside world.
i don't want to get into an argument, but i
Package: vim
Version: 1:7.0.109
Severity: grave
Tags: security
Justification: user security hole
redhat has just released an update that fixes multiple security flaws in
vim [1]. these issues are currently reserved in the CVE tracker, but
redhat describes the probems as:
Multiple security
59 matches
Mail list logo