Lionel Elie Mamane wrote: > let a be an architecture in sarge. Then one of the following holds for > mailman in sarge r3: > > - it is affected by a security problem. > > - it has a severity critical bug. > > Mailman in sid: > > - may or may not suffer of a security problem > > A security problem in Mailman in sarge patched in May has _not_ been > issued a DSA.
Oh. Which security problem are you talking about? > There seems to have been a screw-up in handling of mailman security > and stable updates: There are two different mailman packages in Debian > with version number 2.1.5-8sarge3. Ugh? How did that happen? Where is the second one? I only see 2.1.5-8sarge3 in stable but only 2.1.5-8sarge2 in the security archive. > History, in chronological order: > > -8sarge2 security update to fix: > potential DoS attack with malformed multi-part messages (closes: #358892) > [CVE-2006-0052] > > -8sarge3 maintainer update (that got frozen waiting for -8sarge2 to > happen in order not to conflict with it) to fix bug #358575, a > severity critical bug. > > Uploaded to stable-proposed-updates in the night from 11 to 12 > April 2006, where it created problems because -8sarge1 was to be > going in sarge r2, and having -8sarge3 appear confused > everything. Stable update team says something along the lines of > "will consider for sarge r3". Apparently it has been installed in the archive. > -8sarge3 security update to fix: > formt string vulnerability [src/common.c, > debian/patches/72_CVE-2006-2191.dpatch] > > That security update has not been announced by a DSA, and cannot be > downloaded from > http://security.debian.org/pool/updates/main/m/mailman/ . > > I don't have access to the source of this package. It was apparently > prepared by Martin "Joey" Schulze on 13 May 2006. Umh? But where is it? I don't have it either. I have recorded the patch to fix this vulnerability, though. It's attached. > As a maintainer of Mailman, I have no recollection of being notified > of CVE-2006-2191 (it is possible I have missed the notification, but > my email archives do not contain anything relevant with subject > "mailman" and 2191 in the body); the CVE entry at mitre.org contains > no information. I have no idea whether this security problem affects > the version in sid or not, I have no precise information _what_ this > security problem is. I found a trace. Apparently this problem has been considered not exploitable later, and hence the issue was disregarded. The researcher was Karl Chen. He suggested to file a normal bug then. If that has happened, you should have (had) it in your bug list. > The situation right now: > > - sarge r3 contains mailman 2.1.5-8sarge3, but some architectures > have the security update (such as i386) and others have the > maintainer update (such as source, sparc and alpha). > > Thus all architectures are screwed up in one way or the other. AAAAAARRRRRRRRRRRRRRRGGGGGGGGGGGSSSSSSSSSSSSSSSS!!!!!!!!!!!!! This is an interesting screwup... > So, please, security team, tell us about CVE-2006-2191. If > appropriate, issue a DSA about it, for a package under version number > -8sarge4, built on top of -8sarge3 the maintainer update. Please give > us (the mailman-in-Debian maintainers) the information needed to fix > CVE-2006-2191 in sid, or make a retroactive note in the changelog to > note when it was fixed by a new upstream version. I'll forward you the mails wrt this issue. Guess we didn't contact you earlier because it became a non-issue. > Stable release team, please react accordingly; you may for example do > a binary sourceless NMU for the architectures that have -8sarge3 the > security update so that they all have -8sarge3 the maintainer update. Imho, it's more useful to upload 2.1.5-8sarge4 and only bump the version number to get the new version built for all architectures into the archive. Regards, Joey -- Linux - the choice of a GNU generation. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]