On Mon, Feb 11, 2013 at 11:03:32PM +0100, Salvatore Bonaccorso wrote: > Hi > > On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote: > > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote: > > > Some additional information: In most usual cases where zoneminder is > > > set up, there should be authentication first. So this limits somehow > > > the vulnerability. > > > > The attached patch should address the issue, but I don't have a setup to > > test. > > The patches look they address the issue mentioned. What I've done: > > - Build both for Squeeze and unstable (debdiffs attached) > > - Installed zoneminder in a VM, confirmed that for both stable and > unstable version zoneminder is vulnerable. > > - Installed the patched packages to verifiy the vulnerability. > > NOTE: I was not able to test setDeviceStatusX10 part, but the code fix > is going the same by James: > > Security Team, how to proceed? Can/will a DSA be released for it?
We should fix this in a DSA. Vagrant, James or Peter, can you do real-world testing of the proposed squeeze package? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org