Date: Fri, 30 Oct 2009 10:15:23 -0500 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com Subject: Re: MFSA 2009-63 On Fri, 30 Oct 2009 10:27:22 +0100 Tomas Hoger <thoger@...hat.com> wrote: > On Thu, 29 Oct 2009 15:35:08 -0500 Reed Loden <reed@...dloden.com> > wrote: > > > What type of specific information are you looking for? > > What issues are actually referenced by a CVE, what fixes to backport > where rebase is not an option (as Florian already explained). I think we used one CVE per library upgrade, so three in total (libvorbis, liboggz, liboggplay). As for individual fixes, I don't really know if that's possible, as I mentioned earlier, due to the fact that fixes were dependent on other changes that you would need to backport, too, which all just ends badly. :( > > I'll see if we can get those still private bugs concerning the media > > library fixes open sooner rather than later, though. > > Even bugs don't make all points clear (499512, 501279#c5) in this case. Feel free to comment in the bugs asking questions. If you don't receive a response in a reasonable amount of time from one of the developers, drop me a note OOB, and I'll see about making sure somebody replies to you. I'm by no means the media library expert, so I don't know all of the details myself. Bug 499512 seems to be a liboggplay issue fixed by bug 512328. As for 501279#c5, you'll just have to ask the developers. I think the advisory is missing a few bugs and is mislabeling a few others. If I get a chance, I'll edit the advisories to add a few other bugs (like 512328). However, if you notice any issues yourself with the advisory, please feel free to report any issues to me or to security@.... We try to be good at bug dependencies, so if you loop through the bug chains, you may find some bugs that help you better understand all the issues that were fixed by the upgrades. ~reed Mozilla Security Group -- Reed Loden - <reed@...dloden.com> Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.