kfreebsd-7/ kfreebsd-6 stable update for CVE-2009-1935 and FreeBSD-SA-09:10.ipv6
Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for kfreebsd-7/kfreebsd-6 some time ago. CVE-2009-1935[0]: | Integer overflow in the pipe_build_write_buffer function | (sys/kern/sys_pipe.c) in the direct write optimization feature in the | pipe implementation in FreeBSD 7.1 through 7.2 and 6.3 through 6.4 | allows local users to bypass virtual-to-physical address lookups and | read sensitive information in memory pages via unspecified vectors. FreeBSD-SA-09:10.ipv6[1]: | Missing permission check on SIOCSIFINFO_IN6 ioctl Unfortunately the vulnerability described above is not important enough to get it fixed via regular security update in Debian stable. It does not warrant a DSA. However it would be nice if this could get fixed via a regular point update[2]. Please contact the release team for this. This is an automatically generated mail, in case you are already working on an upgrade this is of course pointless. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1935 http://security-tracker.debian.net/tracker/CVE-2009-1935 [1] http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc [2] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable Kind regards Giuseppe. signature.asc Description: OpenPGP digital signature
MisterBabel.com vous offre un iPod - Free iPod
Pour être sûr de recevoir tous nos emails, ajoutez-nous à votre carnet d'adresses. Si ce mail ne s'affiche pas correctement, suivez ce lien ( http://www.omkg.net/D1/Q22j5jQ/QhyE37rUq/QnUlq3w2_vb.aspx ) MISTERBABEL.COM Offre estivale Summer special offer Oferta de verano Zomeraanbod Traduction professionnelle Toutes langues - Tous domaines 7/24 - Demandez un devis ( mailto:cont...@misterbabel.com?subject=demande%20de%20devis ) Professionnal translation Any language - Any subject 7/24 - Ask for a quote ( mailto:cont...@misterbabel.com?subject=quote%20request ) Traducción profesional Todos los idiomas - Todos los campos 7/24 - Pida un presupuesto ( mailto:cont...@misterbabel.com?subject=presupuesto ) Professionele vertalingen Alle talen - Alle onderwerpen 7/24 - Vraag een offerte ( mailto:cont...@misterbabel.com?subject=offerte ) Si vous ne souhaitez plus recevoir de messages de la part de MisterBabel, cliquez ici ( http://www.omkg.net/D1/Q22j5jQ/QhyE47bUs/QnUlq3w2_vb.aspx ) click here ( http://www.omkg.net/D1/Q22j5jQ/QhyEF7dUt/QnUlq3w2_vb.aspx ) to unsuscribe Si no desea seguir recibiendo información de parte de MisterBabel, pulse aquí ( http://www.omkg.net/D1/Q22j5jQ/QhyED7fUu/QnUlq3w2_vb.aspx ) Klik hier ( http://www.omkg.net/D1/Q22j5jQ/QhyEE7gUv/QnUlq3w2_vb.aspx ) als u geen berichten meer wilt ontvangen van MisterBabel.
Re: GNU/kFreeBSD packages in the Debian archive
Hi! On Mon, 2009-06-08 at 14:21:09 +0200, Aurelien Jarno wrote: > As a consequence, on GNU/Linux the temporary directory has lost the > setgid bit, and is still uid=buildd, gid=sbuild. Files are unpacked with > uid=buildd and gid=buildd, given that the temporary directory has lost > the setgid bit. > > On GNU/kFreeBSD, the temporary directory has also lost the setgid bit, > and is also uid=buildd, gid=sbuild. Files are unpacked with uid=buildd > and gid=sbuild as the gid is determined by the parent directory. > > Some coreutils tests fail if the files are not unpack with gid being the > primary group of the user. They are skipped if the directory is setgid, > but the kFreeBSD case is not taken into account. > > I'll temporary change /buildd to gid=buildd on the buildds, but it looks > like we need a fix at some point. coreutils should probably be fixed, > but skipping the tests is probably not a good idea either. I wonder if > we should change dpkg to also force uid and gid of the temporary > directory while unpacking. I suspect that other packages than coreutils > might be affected. Guillem, as a dpkg maintainer, do you have an opinion > on that? The source should be able to build w/o the Debian packaging from an upstream PoV anyway. The current coreutils behaviour is not really deterministic as it depends on the system the source has been unpacked to, the user that unpacked it (f.ex root preserves tar users by default), and the file system options (native, mount, setgid, etc). Given this, I'd say that if coreutils needs a specific owner in files to be able to do some checks, then it should arrange for itself to set them before the checks. And that the current undefined dpkg-source behaviour should be fine as it is. This seems the most portable option to me. regards, guillem -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
