Date: Thu, 21 Feb 2013 09:28:23 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: Kurt Seifried <kseifried@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: CVE request: zoneminder: local file inclusion vulnerability Hi Kurt Thank you for the CVE assignment! On Wed, Feb 20, 2013 at 11:59:58PM -0700, Kurt Seifried wrote: > > Hi > > > > In zoneminder forum the following announce was done already in > > 2011: > > > > http://www.zoneminder.com/forums/viewtopic.php?f=1&t=17979 > > Stupid Q, is there like an official security page? POsting stuff to a > forum is not exactly the easiest place to find things, can they setup > like zoneminder.com/security/ and at least list all the security > issues and link to them there so people don't have to dig through the > forums? > > I say this because this is the first cve request I've ever seen for > zoneminder since I started assigning, and indeed, since 2008, so I'm > guessing there's a few more missing ones...... I further know about the wikipage with the ChangeLog, but there is no patch referenced (thus the forum post). It's here:  http://www.zoneminder.com/wiki/index.php/Change_History But I have not read trough yet, to see if there are more changes indicating some security implication. For the one of my request there was only FIX - Fixed Local File Inclusion (LFI) vulnerability. Please note a patch for this is also available for 1.24.4 which the 1.24.4 tarball also contains for recent downloads. > If someone wants to big through the forums to find them and post them > here that would probably be helpful (seriously, wanna pad your resume > and get a reference from me? first person to make 100 good CVE > requests wins). I can check indeed if I find more. The the forum post for CVE-2013-0232 there is still no answer from upstream : http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ