Laundry list...

Todd Freedom_Lover at pobox.com
Wed Jan 28 16:56:54 UTC 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jesse Keating wrote:
> On Wednesday 28 January 2004 07:51, Christian Pearce wrote:
>> Testing:
>>
>> * tcpdump
>> * cvs
>> * ethereal
>
> CVS has had some testing on 7.3, I'd like to see somebody test it on
> 7.2 and 8.0 before I launch it, but if that doesn't happen by
> tonight, I'm going to launch it as an update.  Ditto with tcpdump
> and ethereal.

I've been intending to test each of these on 7.2, 7.3, and 8.0 and put
the results into bugzilla.  Sorry that hasn't happened yet.  I do have
test boxes now for all three dists, so hopefully I can get around to
doing something useful.

>> QA:
>> * gaim
>
> I'd have to check the bug again, but I think we made the decision to
> upgrade the gaim version to keep up with protocol changes.  Gaim is
> one of those apps that is at the END of a dep chain, rather than
> somewhere in the middle, so bumping its version isn't going to hurt
> much.

2 questions on this:

1) Are these issues even relevant to gaim-0.59 which is what ships
with 7.2-8.0?  I know the advisories stated most of the issues were
with 0.75 and lower, but my quick (and rather uneducated) glance at
the code makes it seem like some or all of this stuff might not apply
to the older gaim.  If they do apply, the backporting might be fun.
What has RHEL done, if anything?  Looking at the errata page
(https://rhn.redhat.com/errata/rh21ws-errata.html) I don't see
anything released there which makes me think that either they're
having to work hard to backport the fixes or they are not relevant.

2) IIRC, gaim > 0.60 requires gnome2 or kde 3 for any status docklets
or whatever they're called.  The older 0.59 shipped with the legacy
dists this project is targeting had a gnome1 panel applet.  Moving to
the newer version will break this and may piss off quite a few people
who use gaim regularly.  That's just something to consider.  If it's
found that the security issues aren't relevant to 0.59, then it won't
matter at all.

Oh, and for reference, here's the RHEL3 errata page and CVE IDs for
the gaim vulns (the CVE stuff is still not updated to provide anything
useful):

    https://rhn.redhat.com/errata/RHSA-2004-033.html
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0006
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0007
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0008

Here's the bugtraq post detailing the issues:

    http://www.securityfocus.com/archive/1/351235/2004-01-25/2004-01-31/0

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
The Constitution continues to remain no threat to our current form of
government.
    -- Joseph Sobran

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iD8DBQFAF+nVuv+09NZUB1oRAstCAKCAl0MtqxfLjU1Pm7VUOj+dy035OQCeKELq
HYxxkYo5ZvTD567KEQeXk28=
=kXWM
-----END PGP SIGNATURE-----

More information about the fedora-legacy-list mailing list