Date: Wed, 14 Nov 2012 05:12:01 -0500 (EST) From: Jan Lieskovsky <jlieskov@...hat.com> To: Tim Brown <timb@...nvas.org>, Michael Wiegand <michael.wiegand@...enbone.net> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, oss-security@...ts.openwall.com, Michal Ambroz <rebus@...nam.cz> Subject: Re: Re: [OVSA20121112] OpenVAS Manager Vulnerable To Command Injection Hello Tim, thank you for the heads up and notification. The versions of openvas-manager package, as shipped with Fedora release of 16 and release of 17 is based on upstream 2.0.5 version yet. From what I have looked and can tell from upstream advisory and patch (for 3.0.X version):  http://www.openvas.org/OVSA20121112.html  http://wald.intevation.org/scm/viewvc.php?view=rev&root=openvas&revision=14437 the CVE-2012-5520 does not seem to be applicable to OpenVAS-4 / openvas-manager 2.0.5 version yet:  http://lists.wald.intevation.org/pipermail/openvas-announce/2012-August/000140.html But prior definitely classifying Fedora 16 and Fedora 17 openvas-manager package versions as not vulnerable to this issue, I would like to hear opinion / confirmation from someone more familiar with OpenVAS code. So could you confirm the CVE-2012-5520 wouldn't affect OpenVAS-4 2.0.X version (yet)? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team ----- Original Message ----- Doh, a document gets proof read by multiple people and yet it contains a mistake. In the Current Status section of the advisory, the date is incorrect. A corrected advisory is attached. Tim -- Tim Brown <mailto:timb@...nvas,org> <http://www.openvas.org/>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.