Your message dated Mon, 18 Oct 2010 11:52:40 -0200
with message-id <1287409960.18111.24.ca...@couve.horta>
and subject line Re: Bug#599830: Multiple security issues
has caused the Debian Bug report #599830,
regarding Multiple security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
599830: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599830
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: webkit
Severity: grave
Tags: security
The following security issues need to be fixed in Webkit:
http://security-tracker.debian.org/tracker/CVE-2010-1807
http://security-tracker.debian.org/tracker/CVE-2010-2646
http://security-tracker.debian.org/tracker/CVE-2010-2651
http://security-tracker.debian.org/tracker/CVE-2010-3115
Also, the status of #532514 should finally be resolved
for Squeeze.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Version: 1.2.5-1
Hey,
On Sun, 2010-10-17 at 22:27 +0200, Moritz Muehlenhoff wrote:
> On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> > Package: webkit
> > Severity: grave
> > Tags: security
> >
> > The following security issues need to be fixed in Webkit:
> >
> > http://security-tracker.debian.org/tracker/CVE-2010-1807
> > http://security-tracker.debian.org/tracker/CVE-2010-2646
> > http://security-tracker.debian.org/tracker/CVE-2010-2651
> > http://security-tracker.debian.org/tracker/CVE-2010-3115
> >
> > Also, the status of #532514 should finally be resolved
> > for Squeeze.
>
> People were claming that Webkit would be more maintainable
> and supported then the version in Lenny.
>
> Still, there's no followup from the maintainers since a week.
I'm kinda busy, sorry. This weekend I worked on packaging 1.2.5 after
having worked on getting many CVEs handled upstream. Michael Gilbert
also worked on a few more CVEs for the Debian package. The package I
finished uploading this morning has the following CVEs handled, from
upstream:
CVE-2010-1780 CVE-2010-3113 CVE-2010-1814 CVE-2010-1812
CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114
CVE-2010-3116 CVE-2010-3257 CVE-2010-3259
And these from Michael Gilbert's work:
* fix cve-2010-2646: security origin bypass using IFRAME elements.
* fix cve-2010-2651: vulnerability in css style rendering.
* fix cve-2010-2900: vulnerability with large canvas elements when using the
SKIA library.
* fix cve-2010-2901: vulnerability in the rendering implementation.
* fix cve-2010-3120: vulnerability in geolocation feature.
Note that some CVEs listed above do not really affect WebKitGTK+ at its
current version in Debian because we do not use skia nor enable
geolocation yet.
About #532514 this is how we generate random numbers (see
http://trac.webkit.org/browser/trunk/JavaScriptCore/wtf/RandomNumber.cpp#L70):
uint32_t part1 = random() & (RAND_MAX - 1);
uint32_t part2 = random() & (RAND_MAX - 1);
// random only provides 31 bits
uint64_t fullRandom = part1;
fullRandom <<= 31;
fullRandom |= part2;
// Mask off the low 53bits
fullRandom &= (1LL << 53) - 1;
return static_cast<double>(fullRandom)/static_cast<double>(1LL << 53);
I am not knowledgeable enough to asses the strength of this method,
hopefully you can provide some insight? In the upstream bugreport Sam
Weinig says this was a Windows-only issue, FWIW.
Thanks,
--
Gustavo Noronha Silva <k...@debian.org>
Debian Project
--- End Message ---
