oss-sec mailing list archives
Re: MFSA 2009-63
From: Reed Loden <reed () reedloden com>
Date: Fri, 30 Oct 2009 10:15:23 -0500
On Fri, 30 Oct 2009 10:27:22 +0100 Tomas Hoger <thoger () redhat com> wrote:
On Thu, 29 Oct 2009 15:35:08 -0500 Reed Loden <reed () reedloden com> wrote:What type of specific information are you looking for?What issues are actually referenced by a CVE, what fixes to backport where rebase is not an option (as Florian already explained).
I think we used one CVE per library upgrade, so three in total (libvorbis, liboggz, liboggplay). As for individual fixes, I don't really know if that's possible, as I mentioned earlier, due to the fact that fixes were dependent on other changes that you would need to backport, too, which all just ends badly. :(
I'll see if we can get those still private bugs concerning the media library fixes open sooner rather than later, though.Even bugs don't make all points clear (499512, 501279#c5) in this case.
Feel free to comment in the bugs asking questions. If you don't receive a response in a reasonable amount of time from one of the developers, drop me a note OOB, and I'll see about making sure somebody replies to you. I'm by no means the media library expert, so I don't know all of the details myself. Bug 499512 seems to be a liboggplay issue fixed by bug 512328. As for 501279#c5, you'll just have to ask the developers. I think the advisory is missing a few bugs and is mislabeling a few others. If I get a chance, I'll edit the advisories to add a few other bugs (like 512328). However, if you notice any issues yourself with the advisory, please feel free to report any issues to me or to security@m.o. We try to be good at bug dependencies, so if you loop through the bug chains, you may find some bugs that help you better understand all the issues that were fixed by the upgrades. ~reed Mozilla Security Group -- Reed Loden - <reed () reedloden com>
Attachment:
_bin
Description:
Current thread:
- MFSA 2009-63 Tomas Hoger (Oct 29)
- Re: MFSA 2009-63 Reed Loden (Oct 29)
- Re: MFSA 2009-63 Florian Weimer (Oct 29)
- Re: MFSA 2009-63 Reed Loden (Oct 29)
- Re: MFSA 2009-63 Tomas Hoger (Oct 30)
- Re: MFSA 2009-63 Reed Loden (Oct 30)
- Re: MFSA 2009-63 Tomas Hoger (Oct 30)
- Re: MFSA 2009-63 Florian Weimer (Oct 29)
- Re: MFSA 2009-63 Reed Loden (Oct 29)