Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 26 Nov 2008 19:26:18 +0000
From: Darren Salt <linux@...mustbejoking.demon.co.uk>
To: Matthias Hopf <mhopf@...e.de>, 498243@...s.debian.org
Cc: oss-security@...ts.openwall.com, redpig@...rt.org
Subject: Re: Bug#498243: xine-lib and ocert-2008-008

[xine-user dropped; should probably have been sent to xine-devel, and this
thread doesn't seem to be appearing there anyway]

I demand that Matthias Hopf may or may not have written...

> On Nov 22, 08 17:49:40 +0100, Thomas Viehmann wrote:
[snip]
>> If anyone cares to go over the xine-lib issues (primarily the unfixed
>> ones from Will's section 3), I'd much appreciate a CC. In order to make
>> the analysis and verification more, I would also be interested in the
>> test cases mentioned in the advisory.

> I have fixed all of them (at least I believe so, but I have to verify your
> test case), and we're waiting for new ocert numbers. Given that this takes
> so long, and the issues are public anyway, I will probably upstream the
> fixes soon. If you would verify them it would be awesome.

I'd appreciate these *not* being committed to the 1.1 tip: just make sure
that I get the patch series (no more than one CVE no. per patch), prepared so
that I can just "hg import" each one, and I'll handle things from there.
(Somebody, probably me, will have to backport at least some of this lot for
etch, and separate patches should make this a bit easier.)

I'm currently not sure whether to do 1.1.15.1 or 1.1.16, mainly because
1.1.15.1 can be uploaded to unstable and still make it into lenny; OTOH,
that'd be a new sourceful upload. And I'm not sure that we're ready for
1.1.16 yet anyway.

-- 
| Darren Salt    | linux or ds at              | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Use more efficient products. Use less.          BE MORE ENERGY EFFICIENT.

You will be reincarnated as a toad; and you will be much happier.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.