Your message dated Thu, 19 Jun 2008 20:05:01 +0200 with message-id <[EMAIL PROTECTED]> and subject line Re: [Pkg-xen-devel] Bug#487095: xen-3: multiple security issues has caused the Debian Bug report #487095, regarding xen-3: multiple security issues to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 487095: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487095 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Source: xen-3 Version: 3.2.1-1 Severity: grave Tags: security, patch Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for xen-3. CVE-2008-1943[0]: | Buffer overflow in the backend of XenSource Xen Para Virtualized Frame | Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial | of service (crash) and possibly execute arbitrary code via a crafted | description of a shared framebuffer. CVE-2008-1944[1]: | Buffer overflow in the backend framebuffer of XenSource Xen | Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows | local users to cause a denial of service (SDL crash) and possibly | execute arbitrary code via "bogus screen updates," related to missing | validation of the "format of messages." CVE-2008-1952[2]: | ** RESERVED ** | This candidate has been reserved by an organization or individual that | will use it when announcing a new security problem. When the | candidate has been publicized, the details for this candidate will be | provided. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1943 http://security-tracker.debian.net/tracker/CVE-2008-1943 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1944 http://security-tracker.debian.net/tracker/CVE-2008-1944 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1952 http://security-tracker.debian.net/tracker/CVE-2008-1952 These issues are fixed within the following patch for fedora: http://cvs.fedoraproject.org/viewcvs/rpms/xen/F-9/xen-pvfb-validate-fb.patch?view=markup Kind regards, Thomas.signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---On Thu, Jun 19, 2008 at 04:56:54PM +0200, Thomas Bläsing wrote: > CVE-2008-1943[0]: > | Buffer overflow in the backend of XenSource Xen Para Virtualized Frame > | Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial > | of service (crash) and possibly execute arbitrary code via a crafted > | description of a shared framebuffer. 3.1.2 < 3.2 > CVE-2008-1944[1]: > | Buffer overflow in the backend framebuffer of XenSource Xen > | Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows > | local users to cause a denial of service (SDL crash) and possibly > | execute arbitrary code via "bogus screen updates," related to missing > | validation of the "format of messages." 3.0.3 < 3.2 > CVE-2008-1952[2]: > | ** RESERVED ** > | This candidate has been reserved by an organization or individual that > | will use it when announcing a new security problem. When the > | candidate has been publicized, the details for this candidate will be > | provided. No information. > If you fix the vulnerabilities please also make sure to include the > CVE ids in your changelog entry. There is nothing to fix. Bastian -- Deflector shields just came on, Captain.
--- End Message ---