Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 21 Feb 2013 09:28:23 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: zoneminder: local file inclusion
 vulnerability

Hi Kurt

Thank you for the CVE assignment!

On Wed, Feb 20, 2013 at 11:59:58PM -0700, Kurt Seifried wrote:
> > Hi
> > 
> > In zoneminder forum the following announce was done already in
> > 2011:
> > 
> > http://www.zoneminder.com/forums/viewtopic.php?f=1&t=17979
> 
> Stupid Q, is there like an official security page? POsting stuff to a
> forum is not exactly the easiest place to find things, can they setup
> like zoneminder.com/security/ and at least list all the security
> issues and link to them there so people don't have to dig through the
> forums?
> 
> I say this because this is the first cve request I've ever seen for
> zoneminder since I started assigning, and indeed, since 2008, so I'm
> guessing there's a few more missing ones......

I further know about the wikipage with the ChangeLog, but there is no
patch referenced (thus the forum post). It's here:

 [1] http://www.zoneminder.com/wiki/index.php/Change_History

But I have not read trough yet, to see if there are more changes
indicating some security implication. For the one of my request there
was only

FIX - Fixed Local File Inclusion (LFI) vulnerability. Please note a
patch for this is also available for 1.24.4 which the 1.24.4 tarball
also contains for recent downloads.

> If someone wants to big through the forums to find them and post them
> here that would probably be helpful (seriously, wanna pad your resume
> and get a reference from me? first person to make 100 good CVE
> requests wins).

I can check indeed if I find more. The the forum post for
CVE-2013-0232 there is still no answer from upstream[2]

 [2]: http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ