cpe ids and package names

2012-11-14 Thread Quentin Poirier 

Hello,

I apologize for the mistakes I will make, I am not a native.

Yesterday, I asked a question to the security team and they told me to 
ask it here : (in short) Is there a file that bonds cpe ids to package 
names?


I know this file exists :

http://anonscm.debian.org/viewvc/secure-testing/data/CPE/list?view=markup


The problem is : it does not include any version info. For example :

If I scan a machine with nmap and retrieve the http server's cpe (let 
say it's apache 2.2.22)


The cpe will be cpe:/a:apache:http_server:2.2.22.

With the list I gave above, I'm able to say : The package currently 
running is either apache or apache2 but nothing more. (of course, 
obviously, it is apache2)


In that special case it is easy to determine which package is installed 
and used, but it becomes a pain if I want a global solution to determine 
which package corresponds to which service (not only the http server).


I see two solutions :
Doing a fuzzing match with the product's name and the product's version 
on the package's names. Which is an ugly trick that won't work in every 
case imo.


Making an enumeration of cpes and bonding each of them with the good 
package name in function depending on a given version (maybe in a xml 
file?).


Have you heard of such a file?

* Florian Weimer

You should ask on the public mailing list
debian-security@lists.debian.org, perhaps there is sufficient
interest to maintain such a mapping.

So? Would you be interested by a file like this?

Thank you.

Regards,

Quentin Poirier


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50a3bced.9060...@epitech.eu

Re: cpe ids and package names

2012-11-14 Thread Henri Salo 
On Wed, Nov 14, 2012 at 04:46:53PM +0100, Quentin Poirier wrote:
 http://anonscm.debian.org/viewvc/secure-testing/data/CPE/list?view=markup
snip
 So? Would you be interested by a file like this?

I am very interested. I think we (as in Debian-project) should start using 
CPEs. We probably need some kind of planning session to get ideas listed and 
somekind of roadmap. You can contact me directly if you want to give me tasks 
or share ideas etc, but I suggest we keep meeting in IRC some day.

- Henri Salo
ps. not yet Debian Developer


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121114174559.ga24...@kludge.henri.nerv.fi

Re: Bug#693210: server crash on prearing an empty query with tracing enabled

2012-11-14 Thread Damyan Ivanov 
(adding -security to Cc)

-=| Damyan Ivanov, 14.11.2012 11:35:02 +0200 |=-
 Source: firebird2.5
 Version: 2.5.0
 Severity: important
 Tags: upstream fixed-upstream security
 Forwarded: http://tracker.firebirdsql.org/browse/CORE-3884
 
 With trace enabled, preparing an empty query crashes the server on line 91 of 
 /src/jrd/trace/TraceDSQLHelpers.h, since the dereferenced m_request variable 
 is 
 NULL.
 
 Tagged as 'security' since this is a remote crash, although it requires a 
 valid 
 user/pass.

This issue has assigned CVE-2012-5529.


signature.asc
Description: Digital signature