Summary: | <app-pda/synce-dccm-0.10.1 vdccm Multiple vulnerabilities (CVE-2007-6703,CVE-2008-1136) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/29228/ | ||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 178807 | ||
Bug Blocks: |
Description
Robert Buchholz (RETIRED)
2008-03-18 02:41:33 UTC
We do not have >=0.9.2 in the tree, so CVE-2008-1136 should not affect us. However, CVE-2007-6703 might still be a valid problem. pda herd, is this ebuild still maintained? pda herd, ping. (In reply to comment #2) > pda herd, ping. > any news here? SynCE ebuilds are maintained in an overlay. See #178807. I'm trying to get it in the tree :) next step is to stabilize synce* 0.12, so we can remove those unsecure packages is synce-dccm replaced by another package in synce 0.12? Since we waited half a year on this bug already, I don't think we need 0.12 stable right now, how does a two week window of trying it in ~arch sound? yes. now it's called synce-odccm. actually we have version 0.11.1 and 0.12, which are currently in ~arch I would prefer to see synce-hal instead of any *dccm as this is the direction $UPSTREAM is going. IANADev but I'm happy for a short stabilisation given the amount of time it spent in the overlay. Ian/Federico, can you please point out an exact list of stable targets for synce? Then I'll add arches to CC on this bug. Furthermore, is the fact that the Gentoo PDA guide is not yet finished a blocker for stabilization? ping, Ian and Federico, please look at the previous comment. ping? hmm, where was I? The only arches I know SynCE is regularly used on is x86 and amd64. There are some bsd'ers but don't think they use Gentoo... Is that enough? With stable targets I meant which ebuilds (package names, versions) to go stable. Adjusting whiteboard severity because of remote code execution (CVE-2008-1136). Changing whiteboard state to ebuild, as I don't see an ebuild in the tree. *ping* to pda herd! *ping* Please bump, then let us close this. OK, what exactly needs to be done here? synce-dccm could probably be removed but I can't remember if it's needed for 2003 or earlier devices. synce-hal or synce-odccm definitely obsolete it. PS, what pda herd? :p OK, the original bug was about vdccm which is no longer in the tree nor supported by SynCE. It's successors synce-odccm and synce-hal are well past these affected versions. erg this bug can be closed. After all this isn't a stabilisation bug, just a vulnerability one. :) synce-dccm is no longer in portage (pending on bug 340007 for reinclusion). and because it's been fixed upstream, if this is ever going to be restored, it'll be fixed feel free to close this bug as you see fit Package was never stable. Closing noglsa.Closing noglsa. |