[kreutzm@itp.uni-hannover.de: Security dead in PLD? And who runs autobuilders?]

Jakub Bogusz qboosh at pld.org.pl
Wed Apr 23 12:12:33 CEST 2003 

On Tue, Apr 22, 2003 at 10:44:10PM +0200, Lukas Dobrek wrote:
> Could anybody at least comment, on this issues. This guy
> has the right to get answer. He is not reading polish lists 
> so he cannot know many things. 
> 
> ----- Forwarded message from Helge Kreutzmann <kreutzm at itp.uni-hannover.de> -----
> 
> *)Apache: 2002-11-26 (#464)

One patch was not applied, done today by kloczek.

> *)Mozilla: 2003-03-31 (asked for alpha build, can I mail the person in
>                        charge for that directly?)

There is problem probably with compiler - binaries build, but only
segfault... I couldn't find the actual bug (SEGV occurred outside
program, deep in glibc or dynamic linker), even -O0 didn't help :(

> *)vixie-cron: 2003-01-23 (#541)

Despite of kloczek's comment, it seems to *be* vixie-cron.
I am not sure about the fix - we have all the security patches that
RedHat has. But Debian has much more changes (one huge, ugly patch, as
in Debian), maybe some of them are security-related. Need to be
investigated.

> *)grub: 2003-01-27 (#548)

Don't know - SuSE wrote about grub as "pending vulnerability" in mysql's
advisory (http://www.suse.de/de/security/2003_003_mysql.html), but since
then haven't release any advisory about grub.

> *)KDE: 2003-02-04 (#552) Several severe problems; upgrade to 3.1
>                          highly recommended. Is there anything going
> 			 to happen or does PLD ignore KDE (which I
> 			 would not blame them for, although it would
> 			 be sad)

3.0.5b or 3.1.1a - but not complete yet :(

> *)pam: 2003-02-28 (#586)

Don't know, our pam_xauth differs too much from RedHat's to make sure
about this or apply RedHat's patch. Anyway I've sent notice to baggins
some time ago.

> *)tcl: 2003-03-20 (#613)

I tried to do test mentioned in RH's bugzilla for this issue and it
shows that our tcl doesn't search current directory.

> *)openldap: 2003-03-28 (#624)

This seems to be openldap 2.1-specific (again, close message is wrong
- kreutzm mentioned new SuSE patch, which changes the UTF-8 suport code,
which didn't exist in openldap 2.0.x), so Ra version wasn't vulnerable
to this.


-- 
Jakub Bogusz    http://cyber.cs.net.pl/~qboosh/
PLD Linux       http://www.pld.org.pl/

More information about the pld-devel-en mailing list