Re: libpng CVE-2006-7244/CVE-2009-5063
Henri Salo wrote: > There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see > from: > > http://security-tracker.debian.org/tracker/source-package/libpng > > The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of > the issues are: "package libpng is vulnerable; however, the security impact > is unimportant.", but I think these aren't unimportant as you can see from > here: > > http://www.openwall.com/lists/oss-security/2011/03/22/7 > http://www.openwall.com/lists/oss-security/2011/03/28/6 > > Is there a plan to fix these issues? Should I create a bug-report? The CVE entries describe these issues as denial-of-services, which can be chosen to be considered unimportant. Do you have information that the problem is actually more severe than that? If you really want to fix this, you can prepare an ospu and send it to debian-release@l.d.o for review for lenny's next stable update. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110724140306.2b4341292820cea9055fd...@gmail.com
Re: libpng CVE-2006-7244/CVE-2009-5063
On Sun, Jul 24, 2011 at 06:08:49PM +0300, Henri Salo wrote: > On Sun, Jul 24, 2011 at 04:54:41PM +0200, Moritz Mühlenhoff wrote: > > Henri Salo schrieb: > > > There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can > > > see from: > > > > > > http://security-tracker.debian.org/tracker/source-package/libpng > > > > > > The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. > > > Notes of the issues are: "package libpng is vulnerable; however, the > > > security impact is unimportant.", but I think these aren't unimportant as > > > you can see from here: > > > > > > http://www.openwall.com/lists/oss-security/2011/03/22/7 > > > http://www.openwall.com/lists/oss-security/2011/03/28/6 > > > > > > Is there a plan to fix these issues? Should I create a bug-report? > > > > It's fixed already since 1.2.39-1 for both issues. > > > > Cheers, > > Moritz > > Well the tracker says the status for both CVEs is vulnerable. Please note > that I am talking about oldstable. It's not treated as a security issue for Debian, so we won't backport it to oldstable. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110724151655.GA4290@pisco.westfalen.local
Re: libpng CVE-2006-7244/CVE-2009-5063
On Sun, Jul 24, 2011 at 04:54:41PM +0200, Moritz Mühlenhoff wrote: > Henri Salo schrieb: > > There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see > > from: > > > > http://security-tracker.debian.org/tracker/source-package/libpng > > > > The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes > > of the issues are: "package libpng is vulnerable; however, the security > > impact is unimportant.", but I think these aren't unimportant as you can > > see from here: > > > > http://www.openwall.com/lists/oss-security/2011/03/22/7 > > http://www.openwall.com/lists/oss-security/2011/03/28/6 > > > > Is there a plan to fix these issues? Should I create a bug-report? > > It's fixed already since 1.2.39-1 for both issues. > > Cheers, > Moritz Well the tracker says the status for both CVEs is vulnerable. Please note that I am talking about oldstable. Best regards, Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110724150849.ga25...@foo.fgeek.fi
Re: libpng CVE-2006-7244/CVE-2009-5063
Henri Salo schrieb: > There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see > from: > > http://security-tracker.debian.org/tracker/source-package/libpng > > The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of > the issues are: "package libpng is vulnerable; however, the security impact > is unimportant.", but I think these aren't unimportant as you can see from > here: > > http://www.openwall.com/lists/oss-security/2011/03/22/7 > http://www.openwall.com/lists/oss-security/2011/03/28/6 > > Is there a plan to fix these issues? Should I create a bug-report? It's fixed already since 1.2.39-1 for both issues. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnj2ochh.aqm@inutil.org
libpng CVE-2006-7244/CVE-2009-5063
There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see from: http://security-tracker.debian.org/tracker/source-package/libpng The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of the issues are: "package libpng is vulnerable; however, the security impact is unimportant.", but I think these aren't unimportant as you can see from here: http://www.openwall.com/lists/oss-security/2011/03/22/7 http://www.openwall.com/lists/oss-security/2011/03/28/6 Is there a plan to fix these issues? Should I create a bug-report? Best regards, Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110724133148.ga24...@foo.fgeek.fi