Bug#552124: qa.debian.org: bogusly warns about security issues when fixed
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
Bug#552124: qa.debian.org: bogusly warns about security issues when fixed
by Rene Engelhard
::
Rate this Message:
Package: qa.debian.org
Severity: important Hi, let's look at http://packages.qa.debian.org/o/openoffice.org.html. We see at the top: "There are 5 open security issues, please fix them. " Let's look what they are: CVE-2009-0200 Integer underflow in OpenOffice.org (OOo) before 3.1.1 and ... fixed in both etch-security and lenny-security (etch-backports is not relevant anymore) and just waits to be in a point release. Why is this listed as still needing to be fixed? CVE-2009-0201 Heap-based buffer overflow in OpenOffice.org (OOo) before 3.1.1 and ... fixed in both etch-security and lenny-security (etch-backports is not relevant anymore) and just waits to be in a point release. Why is this listed as still needing to be fixed? CVE-2009-2139 Heap-based buffer overflow in svtools/source/filter.vcl/wmf/enhwmf.cxx ... CVE-2009-2140 Multiple heap-based buffer overflows in ... CVE-2009-3239 Buffer overflow in the EMF parser implementation in OpenOffice.org ... fixed, but security-tracker buggy.... CVE-2009-3569 Stack-based buffer overflow in OpenOffice.org (OOo) allows remote ... CVE-2009-3570 Unspecified vulnerability in OpenOffice.org (OOo) has unspecified ... CVE-2009-3571 Unspecified vulnerability in OpenOffice.org (OOo) has unknown impact ... http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551068. Nothing to fix there (yet). At least the first too should not be shown! Grüße/Regards, Rene -- To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@... |
|
|
Bug#552124: qa.debian.org: bogusly warns about security issues when fixed
by Rene Engelhard
::
Rate this Message:
On Fri, Oct 23, 2009 at 04:35:39PM +0200, Rene Engelhard wrote:
> CVE-2009-2139 Heap-based buffer overflow in svtools/source/filter.vcl/wmf/enhwmf.cxx ... > CVE-2009-2140 Multiple heap-based buffer overflows in ... > CVE-2009-3239 Buffer overflow in the EMF parser implementation in OpenOffice.org ... > > fixed, but security-tracker buggy.... This is DSA-1880-1: # CVE-2009-2139 A vulnerability has been discovered in the parser of EMF files of OpenOffice/Go-oo 2.x and 3.x that can be triggered by a specially crafted document and lead to the execution of arbitrary commands the privileges of the user running OpenOffice.org/Go-oo. This vulnerability does not exist in the packages for oldstable, testing and unstable. The other two CVEs talk about the same issus but got missed/double-assigned.. Ccing security team, please fix the security tracker... Grüße/Regards, Rene -- To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@... |
|
|
Bug#552124: marked as done (qa.debian.org: bogusly warns about security issues when fixed)
by Debian Bug Tracking System
::
Rate this Message:
Your message dated Sat, 24 Oct 2009 13:15:01 -0500
with message-id <4ae34404.c701be0a.584c.3883@...> and subject line Re: Bug#552124: qa.debian.org: bogusly warns about security issues when fixed has caused the Debian Bug report #552124, regarding qa.debian.org: bogusly warns about security issues when fixed to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@... immediately.) -- 552124: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552124 Debian Bug Tracking System Contact owner@... with problems Package: qa.debian.org Severity: important Hi, let's look at http://packages.qa.debian.org/o/openoffice.org.html. We see at the top: "There are 5 open security issues, please fix them. " Let's look what they are: CVE-2009-0200 Integer underflow in OpenOffice.org (OOo) before 3.1.1 and ... fixed in both etch-security and lenny-security (etch-backports is not relevant anymore) and just waits to be in a point release. Why is this listed as still needing to be fixed? CVE-2009-0201 Heap-based buffer overflow in OpenOffice.org (OOo) before 3.1.1 and ... fixed in both etch-security and lenny-security (etch-backports is not relevant anymore) and just waits to be in a point release. Why is this listed as still needing to be fixed? CVE-2009-2139 Heap-based buffer overflow in svtools/source/filter.vcl/wmf/enhwmf.cxx ... CVE-2009-2140 Multiple heap-based buffer overflows in ... CVE-2009-3239 Buffer overflow in the EMF parser implementation in OpenOffice.org ... fixed, but security-tracker buggy.... CVE-2009-3569 Stack-based buffer overflow in OpenOffice.org (OOo) allows remote ... CVE-2009-3570 Unspecified vulnerability in OpenOffice.org (OOo) has unspecified ... CVE-2009-3571 Unspecified vulnerability in OpenOffice.org (OOo) has unknown impact ... http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551068. Nothing to fix there (yet). At least the first too should not be shown! Grüße/Regards, Rene Hi Rene, Whenever you encounter discrepancies in the tracker (in the case data generated by the tracker) please address them via the proper channel (which is not via the qa resources). You can reach the appropriate people via IRC and/or the ML, please take a look at http://security-tracker.debian.org/tracker/data/report (that's right, the tracker is not only on hands of the stable sec team) Thanks! Rene Engelhard wrote: [...] > Let's look what they are: > > CVE-2009-0200 Integer underflow in OpenOffice.org (OOo) before 3.1.1 and > CVE-2009-0201 Heap-based buffer overflow in OpenOffice.org (OOo) before > 3.1.1 and ... > > fixed in both etch-security and lenny-security (etch-backports is not > relevant anymore) and just waits to be in a point release. > Why is this listed as still needing to be fixed? Because etch-backports is still marked as unfixed, but note that these are not being counted on the number displayed by the PTS. > > CVE-2009-2139 Heap-based buffer overflow in > svtools/source/filter.vcl/wmf/enhwmf.cxx ... > CVE-2009-2140 Multiple heap-based buffer overflows in ... As per IRC discussion, marking 2140 as not affecting the package, and 2139 is just like the others above. > CVE-2009-3239 Buffer overflow in the EMF parser implementation in > OpenOffice.org ... This seems to be a duplicate, reported to mitre. -2140 and -3239 were still marked as to be checked. We have recently discussed and agreed that in order to process the data faster we would start marking CVE ids as affecting the packages we know they _may_ affect, when there's not enough time to fully investigate the issue. The idea is that other people, the maintainer included, helps out. So, in this case it worked, thanks. > > CVE-2009-3569 Stack-based buffer overflow in OpenOffice.org (OOo) allows > remote ... > CVE-2009-3570 Unspecified vulnerability in OpenOffice.org (OOo) has > unspecified ... > CVE-2009-3571 Unspecified vulnerability in OpenOffice.org (OOo) has > unknown impact ... > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551068. Nothing to fix > there (yet). disclosed or not. Shall those issues be determined as invalid they will be changed accordingly in the tracker. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net |
| Free embeddable forum powered by Nabble | Forum Help |
