Package: mondo Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for mondo.
CVE-2008-1633[0]: | Unspecified vulnerability in Mondo Rescue before 2.2.5 has unknown | impact and attack vectors, related to the use of (1) /tmp and (2) | MINDI_CACHE. Since you (as co-upstream maintainer) didn't specify any useful description or parts of source code when you fixed this, you get this poor description ;) If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. BTW, grepping the source code for /tmp does show a lot of hardcoded tmp paths in the source code an shipped scripts (ide-opt e.g). Are you sure all of these are secure and not possible to exploit via symlinks? I did not check this in detail because I have no idea how mondo is really used and if this would apply in mondo usage scenarios but it's bad coding style anyway. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1633 http://security-tracker.debian.net/tracker/CVE-2008-1633 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgp9Psj1oDSIg.pgp
Description: PGP signature