Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
------- Additional Comments From j.w.r.degoede(a)hhs.nl 2006-05-28 05:49 EST -------
(In reply to comment #3)
Have a question. If this has been fixed for FC5 (or, I guess the
correct moniker would be "FE5"), and this is a security issue -- so people who
need to know (and don't have yum automatically set to update their FC5 systems)
DO know that this has been fixed -- should there not be an announcement for this
fix and the CVE-2006-2480 fix (in Bug 192535) published to the
fedora-package-announce list, like Caolan McNamara's announcement here?:
Not everybody has yum working to automatically update their FC5 installs, so
unless there is an announcement somewhere, how will they know to update their
dia to dia-0.95-3??
I agree, An announcement should be sent for this and for bug 192535. I've asked
the Fedora Security Response Team to post such an announcement in bug 192535,
but no response sofar.
Another unrelated question: Do you mind if we in Fedora Legacy
fixes you made for maintaining the older legacy versions of dia?
Not at all I've also submitted the patch upstream where it has been committed
into CVS as far as I'm concerned the patch is under the same license as dia.
If so, may we
include you, Hans, in the cc: list for such a bugzilla entry? The open Bugzilla
Bug Fedora Legacy has for dia currently is Bug #190942
Feel free to add me to the CC.
In which we also
discovered that the CVE-2005-2966 may not have been covered either here, in FC,
or in RHEL... (This CVE may not affect FedoraExtras, but may affect Fedora Core
4, RHEL 4/3/2.x?...)
I think this CVE was 0.95 pre release specific, but I'm not sure I did a diff
between the affected and the unaffected dia 0.95-pre releases and both the total
diff and the relevant part of the diff were small and the fix was small and
sane, unfortunatly I didn't keep the fix around as a seperate patch, but
backporting it if it does affect older versions should be simple.
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.