Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to ljlane@debian.org (Laurence J. Lane).
(Sun, 04 Apr 2010 22:21:04 GMT) (full text, mbox, link).
Package: imlib2
Version: 1.4.0-1.2
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for imlib2, which is claimed fixed by upstream 1.4.2, which
is already in unstable. lenny is very likely affected, but I can't find
any actionable info, so you will need to touch base upstream to figure
this out.
CVE-2008-6079[0]:
| Multiple unspecified vulnerabilities in imlib2 before 1.4.2 have
| unknown impact and attack vectors.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6079http://security-tracker.debian.org/tracker/CVE-2008-6079
Severity set to 'grave' from 'important'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 05 Apr 2010 13:27:04 GMT) (full text, mbox, link).
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Mon, 05 Apr 2010 13:33:08 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Mon, 05 Apr 2010 13:33:09 GMT) (full text, mbox, link).
Version: 1.4.2-1
Hey,
* Michael Gilbert <michael.s.gilbert@gmail.com> [2010-04-05 00:34]:
> Package: imlib2
> Version: 1.4.0-1.2
> Severity: important
raised the severity
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for imlib2, which is claimed fixed by upstream 1.4.2, which
> is already in unstable. lenny is very likely affected, but I can't find
> any actionable info, so you will need to touch base upstream to figure
> this out.
This is indeed fixed in 1.4.2. For lenny, yes it is affected and actually I
already identified and backported the fixes to the lenny version. This is
about multiple buffer overflows (heap and stack based) in various loaders. The
stable update will come today or tomorrow.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Mon, 05 Apr 2010 14:42:04 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Mon, 05 Apr 2010 14:42:04 GMT) (full text, mbox, link).
Version: 1.4.0-1+lenny1
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
Bug No longer marked as fixed in versions 1.4.0-1+lenny1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 05 Apr 2010 14:57:09 GMT) (full text, mbox, link).
Bug Marked as fixed in versions 1.4.0-1.2+lenny1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 05 Apr 2010 15:03:11 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 27 Jun 2010 07:40:12 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.