On Mon, Feb 11, 2013 at 11:03:32PM +0100, Salvatore Bonaccorso wrote:
> Hi
>
> On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > > Some additional information: In most usual cases where zoneminder is
> > > set up, there should be authentication first. So this limits somehow
> > > the vulnerability.
> >
> > The attached patch should address the issue, but I don't have a setup to
> > test.
>
> The patches look they address the issue mentioned. What I've done:
>
> - Build both for Squeeze and unstable (debdiffs attached)
>
> - Installed zoneminder in a VM, confirmed that for both stable and
> unstable version zoneminder is vulnerable.
>
> - Installed the patched packages to verifiy the vulnerability.
>
> NOTE: I was not able to test setDeviceStatusX10 part, but the code fix
> is going the same by James:
>
> Security Team, how to proceed? Can/will a DSA be released for it?
We should fix this in a DSA.
Vagrant, James or Peter, can you do real-world testing of the proposed squeeze
package?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
