From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-sysadm/2011-November/004086.html | 142 ++++++++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 zarb-ml/mageia-sysadm/2011-November/004086.html (limited to 'zarb-ml/mageia-sysadm/2011-November/004086.html') diff --git a/zarb-ml/mageia-sysadm/2011-November/004086.html b/zarb-ml/mageia-sysadm/2011-November/004086.html new file mode 100644 index 000000000..761ab786b --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-November/004086.html @@ -0,0 +1,142 @@ + + + + [Mageia-sysadm] Improving the mageia-updates@ messages + + + + + + + + + +

[Mageia-sysadm] Improving the mageia-updates@ messages

+ Anssi Hannula + anssi at mageia.org +
+ Fri Nov 11 02:28:14 CET 2011 +

+
+ +
Hi!
+
+I can think of some improvements to the update announcements:
+
+"Must-have":
+- Affected distribution
+- Updated package version-release (and probably names as well)
+
+"Nice-to-have":
+- Unnecessary duplication in Subject line, drop the
+  "Package update: " part since it already has "[updates-announce]".
+- Information footer (at least mailing list info, maybe something else)
+- Some kind of ID even without a real advisory database (other than
+  mailing list archives, and some way to prevent duplicate ids by
+  mistake), so that we can be included in pages like
+  http://lwn.net/Alerts/
+  I suggest format 'MGASA-2011-1' for security updates.
+  For other updates, maybe 'MGAA-2011-1', or 'MGAUA-2011-1'.
+
+"Maybe?":
+- [mageia-updates] instead of [updates-announce]
+
+
+For example:
+
+Subject: [mageia-updates] MGASA-2011-1: libpng
+________________________________________________________________________
+
+ Mageia Security Advisory                                  MGASA-2011-1
+
+ Distribution: Mageia 1
+ Package: libpng
+________________________________________________________________________
+
+Several vulnerabilities were discovered and corrected in libpng:
+
+* All released versions of libpng (from 1.0 onward) have a buffer
+  overrun in the code that promotes palette images with transparency
+  (1 channel) to grayscale+alpha images (2 channels), but only for
+  applications that call png_rgb_to_gray() and not png_set_expand().
+  (None are known.) An arbitrary amount of memory may be overwritten
+  in this case, with arbitrary (attacker-controlled) data.
+  This vulnerability has been assigned ID CVE-2011-2690.
+
+* libpng 1.2.20 and later crashes in png_default_error() due to internal
+  use of a NULL pointer instead of the empty string (""). This
+  vulnerability
+  has been assigned ID CVE-2011-2691.
+
+* Many (most?) versions of libpng read uninitialized memory when
+  handling
+  empty sCAL chunks, and they handle malformed sCAL chunks (those
+  lacking
+  a delimiting NULL between the internal strings) incorrectly.
+  This vulnerability has been assigned ID CVE-2011-2692.
+
+The updated packages have been updated to latest stable version to
+correct these issues, plus other bug fixes.
+________________________________________________________________________
+
+Updated packages: (or maybe only src package name + versions, to keep
+                   it shorter for e.g. tb/firefox updates?)
+
+Mageia 1, i586:
+   libpng3-1.2.46-1.mga1.i586.rpm
+   libpng-devel-1.2.46-1.mga1.i586.rpm
+   libpng-source-1.2.46-1.mga1.i586.rpm
+   libpng-static-devel-1.2.46-1.mga1.i586.rpm
+
+Mageia 1, x86_64:
+   lib64png3-1.2.46-1.mga1.x86_64.rpm
+   lib64png-devel-1.2.46-1.mga1.x86_64.rpm
+   lib64png-static-devel-1.2.46-1.mga1.x86_64.rpm
+   libpng-source-1.2.46-1.mga1.x86_64.rpm
+
+-- 
+mageia-updates mailing list.
+To unsubscribe, blablabla.
+
+
+-- 
+Anssi Hannula
+
+ + + + + + + +
+

+ +
+More information about the Mageia-sysadm +mailing list
+ -- cgit v1.2.1