On Wed, Jul 07, 2004 at 03:52:27PM +0200, Jeroen van Wolffelaar wrote: > As I promised[1] before[2], here a list of a few security issues that > are not yet fixed in woody, and won't mind a little bit of help from > interested people. This list was kindly given to me by Matt Zimmerman, > so unlike Michael Stone suggested[3], I don't think this is a real waste > of time, just like I think having bugs reported about these issues > wouldn't be a waste of time either (and would be in line with the Social > Contract's "We will not hide problems"). Let's see whether indeed making > these issues better known like I'm doing this way, helps. > > mod_ssl: CAN-2004-0488[4]: > > "Stack-based buffer overflow in the ssl_util_uuencode_binary function > in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust > the issuing CA, may allow remote attackers to execute arbitrary code > via a client certificate with a long subject DN." > > Question: does this affect woody? > > l2tpd buffer overflow posted on Bugtraq[5]: > > Does this affect woody? If so, proper patch?
yes .. it does. i have a patch which fix the issue. I'll kick this to get the woody version fixed. (i'm the l2tpd maintainer). > > libpng and RHSA-2004-181: > > Was Debian's DSA-498[6] complete? RedHat announced a fix two > times about it, RHSA-2004-180[7] and RHSA-2004-181[8]. Did DSA-498 cover > both? > > gnome-vfs: > > Matt Zimmerman said: "I heard about a gnome-vfs bug recently as well; > I would like to know if it affects woody". > > I couldn't find any reference to a recent report about this. > > squirrelmail cross-site scripting issues in 1.2.x: RS-2004-1[9]: > > As noted in the bugreport[10], there were some XSS issues fixed in the > 1.2.x stable branch, that haven't hit any security list, and still are > left unfixed in woody. > > --Jeroen > > [1] http://lists.debian.org/debian-security/2004/07/msg00036.html > [2] http://lists.debian.org/debian-security/2004/07/msg00043.html > [3] http://lists.debian.org/debian-security/2004/07/msg00041.html > [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 > [5] http://seclists.org/lists/bugtraq/2004/Jun/0073.html > [6] http://www.nl.debian.org/security/2004/dsa-498 > [7] http://www.redhat.com/support/errata/RHSA-2004-180.html > [8] http://www.redhat.com/support/errata/RHSA-2004-181.html > [9] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt > [10] http://bugs.debian.org/257973 > > -- > Jeroen van Wolffelaar > [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) > http://Jeroen.A-Eskwadraat.nl > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- -- -> Jean-Francois Dive --> [EMAIL PROTECTED] I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
