Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
* Steve Kemp: > Testing will get the fix shortly via the package migration, How? By downgrading the smstools package? (etch and sid are at the same version.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
* Thijs Kinkhorst: > It's great to hear that unstable will be fixed soon, but why wasn't > there a grave bug filed against the package? If for some reason the > maintainer misses this DSA, it is lateron unknown that the version in > unstable is vulnerable and still needs to be fixed... Uhm, the testing security database records that it's not been fixed for unstable (and testing). There is no need to worry that it might fall through the cracks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
On Mon, Jan 09, 2006 at 02:32:18PM +0100, Thijs Kinkhorst wrote: > >For the unstable distribution the package will be updated shortly. > > > It's great to hear that unstable will be fixed soon, but why wasn't > there a grave bug filed against the package? If for some reason the > maintainer misses this DSA, it is lateron unknown that the version in > unstable is vulnerable and still needs to be fixed... A bug has been filed. If there is no action in a short space of time I'm happy to perform an NMU. Testing will get the fix shortly via the package migration, so it is only sid users who are at risk; and we don't offer explicit security support there. (Though obviously it should be fixed ASAP.) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
Hi Thijs, On Monday, 09 Jan 2006, you wrote: > Michael Stone wrote: > >Vulnerability : format string attack > >Problem-Type : local > >Debian-specific: no > >CVE ID : CVE-2006-0083 > > > >Ulf Harnhammar from the Debian Security Audit project discovered a > >format string attack in the logging code of smstools, which may be > >exploited to execute arbitary code with root privileges. > > > >The old stable distribution (woody) does not contain smstools package. > > > >For the stable distribution (sarge) this problem has been fixed in > >version 1.14.8-1sarge0. > > > >For the unstable distribution the package will be updated shortly. > > > It's great to hear that unstable will be fixed soon, but why wasn't > there a grave bug filed against the package? If for some reason the > maintainer misses this DSA, it is lateron unknown that the version in > unstable is vulnerable and still needs to be fixed... you are right, but also the testing security team usually tracks this kinds of bugs so i guess (if it is not filed already) it will do so soon. Greetings Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
Michael Stone wrote: Vulnerability : format string attack Problem-Type : local Debian-specific: no CVE ID : CVE-2006-0083 Ulf Harnhammar from the Debian Security Audit project discovered a format string attack in the logging code of smstools, which may be exploited to execute arbitary code with root privileges. The old stable distribution (woody) does not contain smstools package. For the stable distribution (sarge) this problem has been fixed in version 1.14.8-1sarge0. For the unstable distribution the package will be updated shortly. It's great to hear that unstable will be fixed soon, but why wasn't there a grave bug filed against the package? If for some reason the maintainer misses this DSA, it is lateron unknown that the version in unstable is vulnerable and still needs to be fixed... Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
