I'm writing [unconfirmed] now when I've found new advisories or bugs but haven't had time to fully research them and see if they really are vulnerabilities and whether Debian is vulnerable (potato, woody, sarge, sid). It seems that since mdz has been put on the Security Team proper that he's released DSA's just after I find the bids or, advisories or speculation of bugs. This is likely co-incedental, but nice to see the spead at which advisories are released.
http://www.securityfocus.com/bid/7902/discussion/ http://www.securityfocus.com/bid/7906/discussion/ http://www.securityfocus.com/bid/7907/discussion/ say: "It should be noted that although this vulnerability has been reported to affect atftp version 0.7cvs, other versions might also be vulnerable." Without spending too much time on this I can say that I doubt the security advisory addresses these bid's which came out after it, and at least two of them are local buffer overflows which I'm not sure would even be vulnerabilities if atftp is not setup setuid/setgid... I also may have accidentaly included the bid that was fixed in the list of three. Drew Daniels
