Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Feb 2012 14:47:53 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com,
        muuratsalo experimental hack lab <muuratsalo@...il.com>,
        Ulli Horlacher <framstag@....uni-stuttgart.de>
Subject: Re: Vulnerabilitites in Debian F*EX <= 20100208 and
 F*EX 20111129-2.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2012 07:54 AM, Nico Golde wrote:
> Hi, * Henri Salo <henri@...v.fi> [2012-02-20 14:16]:
>> On Mon, Feb 20, 2012 at 01:15:10PM +0100, Nico Golde wrote:
>>> * muuratsalo experimental hack lab <muuratsalo@...il.com>
>>> [2012-02-20 12:51]:
>>>> I am Nicola Fioravanti aka muuratsalo | muuratsalo
>>>> experimental hack lab. I am writing you because I have
>>>> discovered some vulnerabilities in Debian F*EX <= 20100208
>>>> (stable) and F*EX 20111129-2. (testing and unstable) I have
>>>> already contacted the Author who confirmed the
>>>> vulnerabilities and applied the suggested fixes. A major
>>>> update of F*EX  has been released on the 15th of February 
>>>> 2012. The Debian Mantainer of the package is working on it. 
>>>> Together with the Author we decided not to release any public
>>>> advisory before the release of the new Debian package.
>>>> 
>>>> I would be grateful if you could assign CVE ids to the
>>>> discovered issues.
>>> 
>>> I asked Nicola to send this to oss-security as the impact of
>>> this bug is fairly low in my opinion and the issue is public
>>> via the upstream changelog.
>>> 
>>> Can someone please assign a CVE id to this? Given that all of
>>> the vulnerable input parameters are in the fup component, I
>>> guess one id should be sufficient.
>> 
>> Is there a Debian bug-report about this issue?
> 
> Yes, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660621
> 
> Cheers Nico P.S. the bug report does not mention the other
> vulnerable parameters as I forgot those

Please use CVE-2012-0869 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPQr+JAAoJEBYNRVNeJnmTaCYP/0b0UCGGXin+UOg9DJRAwp+k
yhFzpTDSF5MAR2cxpTNO5mwWKJTr5Z1BYJpPehsLjW4CEd48toY40PAimR6kKuT7
sSgOKHKGrxiuZmKYWNI6PYs5oXEkdH/4KPofECeKDki9bKnvMWp1n0t34j3QSnew
WhmRpmEsFgCwpBOTCX6RXQu+nTiolrf+xdUSTS6LN6BL29m3Q7rF5VhLcurrLZD6
FkoZjOCK6WEoUQ7G1IiiXGaT7WU2Pm723TW+BoetsvWD9fd7GdXBjur2lie+n4cp
4X2joF5iXA7fTiHyfE073ytNIuW8ffRaydOZtXieyMQL0hCwhKNjtrehkz9DmlBC
1g7gMxx/2V7P5pRXYkBoIs0WY3yP/Q9CHNvr7CsMxgfeJqVsKIW+wQqzx8KZHdbn
YXyAJLdrW9+TSpV4y19mWb6kzm0jlaADBv1id7lFDXO1ToKjFMEREBP7SQudYNYV
EJ4PzSxgXmP0yBJ4c66/jR5mZcD9MWtfYv1rKkfcJNSqNse+F+Hx/JW3WvXkQGTV
vIPyHimgdQtKGvkBvcwd7Fr2gItk8bdqPsOARpBFVWppA6gsQ++ZkKKJPyyqEwul
fpgUJcrKcJUrtq0/+HKUwf+l0RfUzCRKJd2Mjeuo8vNgWDzS5vpiHXICAdWl7CSk
4UDyYOkljl/rOKJYV8/t
=MISI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ