Re: libpng CVE-2006-7244/CVE-2009-5063
Henri Salo he...@nerv.fi schrieb: There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see from: http://security-tracker.debian.org/tracker/source-package/libpng The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of the issues are: package libpng is vulnerable; however, the security impact is unimportant., but I think these aren't unimportant as you can see from here: http://www.openwall.com/lists/oss-security/2011/03/22/7 http://www.openwall.com/lists/oss-security/2011/03/28/6 Is there a plan to fix these issues? Should I create a bug-report? It's fixed already since 1.2.39-1 for both issues. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnj2ochh.aqm@inutil.org
Re: libpng CVE-2006-7244/CVE-2009-5063
On Sun, Jul 24, 2011 at 04:54:41PM +0200, Moritz Mühlenhoff wrote: Henri Salo he...@nerv.fi schrieb: There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see from: http://security-tracker.debian.org/tracker/source-package/libpng The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of the issues are: package libpng is vulnerable; however, the security impact is unimportant., but I think these aren't unimportant as you can see from here: http://www.openwall.com/lists/oss-security/2011/03/22/7 http://www.openwall.com/lists/oss-security/2011/03/28/6 Is there a plan to fix these issues? Should I create a bug-report? It's fixed already since 1.2.39-1 for both issues. Cheers, Moritz Well the tracker says the status for both CVEs is vulnerable. Please note that I am talking about oldstable. Best regards, Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110724150849.ga25...@foo.fgeek.fi
Re: libpng CVE-2006-7244/CVE-2009-5063
Henri Salo wrote: There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see from: http://security-tracker.debian.org/tracker/source-package/libpng The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of the issues are: package libpng is vulnerable; however, the security impact is unimportant., but I think these aren't unimportant as you can see from here: http://www.openwall.com/lists/oss-security/2011/03/22/7 http://www.openwall.com/lists/oss-security/2011/03/28/6 Is there a plan to fix these issues? Should I create a bug-report? The CVE entries describe these issues as denial-of-services, which can be chosen to be considered unimportant. Do you have information that the problem is actually more severe than that? If you really want to fix this, you can prepare an ospu and send it to debian-release@l.d.o for review for lenny's next stable update. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110724140306.2b4341292820cea9055fd...@gmail.com