[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[debian-devel:12437] Re: to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)
- From: Taketoshi Sano <kgh12351@xxxxxxxxxxx>
- Subject: [debian-devel:12437] Re: to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)
- Date: Tue, 30 May 2000 13:11:40 +0900
- X-dispatcher: imput version 991025(IM133)
- X-fingerprint: DA 00 13 8C 49 BB 60 BE A4 54 3D AF 2E CE 28 DD
- X-ml-info: If you have a question, send a mail with the body "# help" (without quotes) to the address debian-devel-ctl@debian.or.jp; help=<mailto:debian-devel-ctl@debian.or.jp?body=help>
- X-ml-name: debian-devel
- X-mlserver: fml [fml 2.2]; post only (only members can post)
- References: <20000528225633.L6106@xxxxxxxxxxx> <20000529135901.A1377@xxxxxxxxxxxxxx>
- Message-id: <y5ad7m5j5ul.fsf@xxxxxxxxxxxxxxxxxxxx>
- X-mail-count: 12437
- User-agent: T-gnus/6.13.3 (based on Pterodactyl Gnus v0.98) EMIKO/1.13.9 (Euglena tripteris) FLIM/1.13.2 (Kasanui) APEL/10.2 Emacs/20.6 (i386-debian-linux-gnu) MULE/4.0 (HANANOEN)
佐野@浜松です。
debian-www list より (debian-devel list など他にも流れてるみたい)
> > kon2 (0.3.9b-0slink1) stable; urgency=high
> > * [Security FIX] buffer overrun security problem fixed.
>
> Vague memories, I'm pretty certain the maintainer neglected to contact us
> at any rate.
だそうですよ (> むつみさん) きちんと説明しておいたほうが良いのでは ?
コンタクトの方法が明示されてないからわかんない」ってことならそれを
ちゃんと書いて反論しておかないと、「知ってて無視した」ってことに
されてしまう可能性あり、と思います。
いや、ほんとに「わかってたけど忙しくて」なら正直にそう書いて
謝っとけばいいと思いますが。「開発者レファレンス」とかに stable の
security updates の手順とか説明がありましたっけ ?
ちょっと見た限りでは
Only critical changes or security bug fixes make it into stable. When
a security bug is detected a fixed package should be uploaded as soon
as possible. In this case, the Debian Security Managers should get in
contact with the package maintainer to make sure a fixed package is
uploaded within a reasonable time (less than 48 hours). If the
package maintainer cannot provide a fixed package fast enough or if
he/she cannot be reached in time, the Security Manager may upload a
fixed package (i.e., do a source NMU).
とかあるんで、 "I thought the Security Manager will contact me, according
to the currenct our developpers reference. Is this a bug in dev-ref ?"
とか -devel で聞いてみてもいいんじゃないかと。
In article <20000529135901.A1377@xxxxxxxxxxxxxx>,
at "Mon, 29 May 2000 13:59:02 +0200',
Wichert Akkerman <wichert@xxxxxxxxx> さん writes:
> [1 <text/plain; us-ascii (quoted-printable)>]
> Previously Joey Hess wrote
> > Why is the last security update listed on the www.debian.org web page,
> > and the last security announcement posted to debian-security-announce,
> > from way back in March?
>
> One reason: we probably need one or two extra people in the security
> team. We had someone join the security team last year only to leave
> before doing anything, and another this year who is still a member
> but doesn't seem to have done anything yet.
>
> I'm guessing that we'll get a bunch of replies from people stating that
> they want to volunteer. We'll probably ignore or reject most of those
> since we want people we know we can trust.
>
> > While a quick grep of debian-changes for this month and April for
> > "security" finds:
>
> Lets ignore all the ones from potato and woody, we don't support that.
> That leaves:
>
> > xlockmore (4.12-4.1) stable; urgency=high
> > * Non-maintainer upload by security team
> > * Fix buffer overflow in resource handling
>
> I recompiled and uploaded that just before I left for SANE
> and didn't get around to sending the advisory. m68k recompiles take
> a bit too long unfortunately.
>
> > kon2 (0.3.9b-0slink1) stable; urgency=high
> > * [Security FIX] buffer overrun security problem fixed.
>
> Vague memories, I'm pretty certain the maintainer neglected to contact us
> at any rate.
>
> > roxen (1.2beta2-3.1) stable; urgency=high
> > * Security fix - html encoding the output of the tags
> > referer, accept-language, clientname, file
> > Attacker can include code to be parsed by the server
>
> Hmm, very old one. I remember having serious issues recompiling it for
> some architectures, combined with the fact that we don't non-free isn't
> a part of Debian and security.d.o isn't split into main/contrib/non-free
> for slink made me decide to ignore it.
>
> > floppybackup (1.3-2) stable; urgency=high
> > * Security Fix - fixed temporary file use
>
> See kon2, but without the vague memories.
>
> > mtr (0.28-1) stable; urgency=high
> > * Security fix for theoretical stack-smash-and-fork attack -
> > s/seteuid/setuid/ in mtr.c
> >
> > nmh (0.27-0.28-pre8-4) stable; urgency=high
> > * Applied patch to fix security hole which allowed untrusted shell
> > code to be executed.
>
> These two were announced, no idea why they show up with a later date.
>
> Wichert.
では。
# mh の slink 版は NMU してないんだよね。JP には mh-ja のを upload したけど。
# やっぱ、しないとダメかなぁ。
--
# (わたしのおうちは浜松市、「夜のお菓子」で有名さ。)
<kgh12351@xxxxxxxxxxx> : Taketoshi Sano (佐野 武俊)