[Bug 198108] CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug
bugzilla at redhat.com
bugzilla at redhat.com
Fri Jul 28 16:26:19 UTC 2006
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198108
------- Additional Comments From ville.skytta at iki.fi 2006-07-28 12:17 EST -------
(In reply to comment #4)
> Yeah, sorry I know, in this case I happened to maintain all affected packages
Yes, but only in FE. 3rd party repositories and local packages which use the
libs are affected too.
> However, a first timer the question arise: how do I properly retire an .so
> file with security vulnerabilities? (Cannot find a good idea in any
> guidelines.)
If doable and feasible, backporting only the security fixes and avoiding the
soname change would be one way of handling it smoothly.
An incompatible upgrade policy and instructions are slowly in the works, but so
far there is no consensus except that the very least one should do is to send a
mail to fedora-maintainers, notifying about the issue, beforehand if at all
possible so others (including non-FC/FE packagers) can prepare.
Here's one example which IMO is being handled well.
https://www.redhat.com/archives/fedora-maintainers/2006-July/msg00397.html
https://www.redhat.com/archives/fedora-maintainers/2006-July/msg00398.html
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the security
mailing list