Your message dated Wed, 16 Jul 2008 16:57:02 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#488358: CVE-2008-2785 fixed in 3.0.1-1
has caused the Debian Bug report #488358,
regarding iceweasel: CVE-2008-2786 CVE-2008-2785: two vulnerabilities with
unknown impact
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
488358: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488358
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: iceweasel
Version: 3.0~rc2-2
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for iceweasel.
CVE-2008-2786[0]:
| Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack
| vectors. NOTE: due to lack of details as of 20080619, it is not clear
| whether this is the same issue as CVE-2008-2785. A CVE identifier has
| been assigned for tracking purposes.
CVE-2008-2785[1]:
| Unspecified vulnerability in Firefox 3.0 and 2.0.x has unknown impact
| and remote attack vectors, aka ZDI-CAN-349.
I've set the severity to important for now, since there aren't many
information :/
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2786
http://security-tracker.debian.net/tracker/CVE-2008-2786
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785
http://security-tracker.debian.net/tracker/CVE-2008-2785
--- End Message ---
--- Begin Message ---
Version: 3.0.1-1
On Wed, Jul 16, 2008 at 04:14:48PM +0200, Nico Golde <[EMAIL PROTECTED]> wrote:
> Hi,
> note that CVE-2008-2785 has been fixed with the 3.0.1-1
> upload referring to the upstream security advisory on
> http://www.mozilla.org/security/announce/2008/mfsa2008-34.html
Note that 3.0.1-1 was uploaded before the upstream security advisory
was released, so it doesn't refer to the MFSA or CVE numbers.
Also note that technically, these bugs affect the xulrunner-1.9 package,
not the iceweasel package. But iceweasel 3.0.1-1 depending on xulrunner-1.9
>> 1.9~rc2-5, and 1.9.0.1-1 being next after 1.9~rc2-5, this is roughly the
same (except for epiphany and friends, but the BTS is surely not the
best place to keep proper security fix versioning, security-tracker should
be)
> Unfortunately it is not yet clear whether CVE-2008-2786 is
> the same issue or not.
There are two fixes in the diff between 3.0 and 3.0.1 that look like
overflow fixing, and that are very similar:
one in layout/style/nsCSSValue.h and one in
rdf/base/src/nsInMemoryDataSource.cpp.
Maybe each CVE refers to each of these.
There is also a crash bug that is fixed, but MFSA-2008-24 explicitely
talks about CVE-2008-2785, so this leaves only CVE-2008-2786 as unexplained,
and CVE-2008-2786 is about a buffer overflow, which is not what the fixed
crash seems to lead to, I'd say. This crash is:
https://bugzilla.mozilla.org/show_bug.cgi?id=440473
Note that if that were really CVE-2008-2786, it would not be a public bug.
So it looks pretty much like both are fixed. If you don't agree, feel
free to reopen.
Mike
--- End Message ---
