Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Oct 2009 10:15:23 -0500
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com
Subject: Re: MFSA 2009-63

On Fri, 30 Oct 2009 10:27:22 +0100
Tomas Hoger <thoger@...hat.com> wrote:

> On Thu, 29 Oct 2009 15:35:08 -0500 Reed Loden <reed@...dloden.com>
> wrote:
> 
> > What type of specific information are you looking for?
> 
> What issues are actually referenced by a CVE, what fixes to backport
> where rebase is not an option (as Florian already explained).

I think we used one CVE per library upgrade, so three in total
(libvorbis, liboggz, liboggplay). As for individual fixes, I don't
really know if that's possible, as I mentioned earlier, due to the fact
that fixes were dependent on other changes that you would need to
backport, too, which all just ends badly. :(

> > I'll see if we can get those still private bugs concerning the media
> > library fixes open sooner rather than later, though.
> 
> Even bugs don't make all points clear (499512, 501279#c5) in this case.

Feel free to comment in the bugs asking questions. If you don't receive
a response in a reasonable amount of time from one of the developers,
drop me a note OOB, and I'll see about making sure somebody replies to
you. I'm by no means the media library expert, so I don't know all of
the details myself. Bug 499512 seems to be a liboggplay issue fixed by
bug 512328. As for 501279#c5, you'll just have to ask the developers.

I think the advisory is missing a few bugs and is mislabeling a few
others. If I get a chance, I'll edit the advisories to add a few
other bugs (like 512328). However, if you notice any issues yourself
with the advisory, please feel free to report any issues to me or to
security@.... We try to be good at bug dependencies, so if you
loop through the bug chains, you may find some bugs that help you better
understand all the issues that were fixed by the upgrades.

~reed
Mozilla Security Group

-- 
Reed Loden - <reed@...dloden.com>

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.