Hi Sam, Sam Hocevar wrote: > Dear security and testing-security teams, > > I have prepared sarge and etch packages for the VideoLAN-SA-0702
This VideoLAN advisory is associated with CVE-2007-3316 > advisory (found at http://www.videolan.org/sa0702.html). I took the > liberty to fix other DoS and buffer overflow bugs in the package, if you This is great, do you know if these other issues have CVE issues associated with them? The only other one I can find that seems associated with VLC in the Mitre CVE list is: CVE-2007-0256 (VideoLAN VLC 0.8.6a allows remote attackers to cause a denial of ...) which is associated with debian bug #407290 Is this what 111_memleak.diff fixes? If so, it would be good to try and associate the other issues (in 113_overflows.diff, 112_missingchecks.diff and 114_uninitialised.diff) with CVE ids. If there are no CVE IDs assigned for these, can you provide a reference to where these came from and we can get some assigned? > Lenny is vulnerable to all holes in the advisory. Packages are here: > http://people.zoy.org/~sam/vlc/0.8.6.a.debian-6lenny1/ > > Sid is vulnerable to all holes in the advisory. The fixed packages > will be 0.8.6.c.debian-1. Please go ahead and upload the fixed versions to sid as soon as possible (urgency=high). I've noted these versions in the security tracker. Thanks, Micah _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
