Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 May 2014 03:01:10 -0400 (EDT)
From: cve-assign@...re.org
To: creffett@...too.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: X2Go Server privilege escalation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I don't see a CVE assigned for the vulnerability announced here:
> http://permalink.gmane.org/gmane.linux.terminal-server.x2go.announce/83
> It appears that this is a privilege escalation through injecting
> backticks, but I'm not absolutely sure. It is fixed as of versions
> 4.0.1.10/4.0.0.8 in the following commits:
> http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7
> http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7
> http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=8347d3fef0e5cbabe4aa48f503612fa7b9d078f8
> http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=bf44925ecccda436caa1cfc34f89eced9c1bd104

Use CVE-2013-7383.

Please clarify whether there is a fourth required commit. (The
first commit was listed twice in your original message.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTeaveAAoJEKllVAevmvms3f0H/2vioN2ivFWUf99AA22so7h3
JbDuMMthrw6Kb/pwFzQjrCYhgZ6alTLt2GN1xG8e5A6jUHpO5asRlicqYGHhVe3s
B+R+yEHyF1xoA/e1ocWaub25zKHd8vcVENRvy1l2F4UC+b+645NJI/ftjU8za3Xa
0HTyiROryqhX/8pMfprX/yS0WtJK59m8d9GSsCm5jbseg8rkQJPR2F8yFSUiL49c
C6v5mMw0qbqaxOuMWlZY9mKaBfcUwgRMIdeeZ0nz/y8vi5TX6liDdblLrzMVjbBz
brYy7Fw50nhqytZQVDFnnkcNw/jlIMCXjsH5hS1is2dcXlPa6VlSIo/cOo35Umc=
=rVsD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ