Date: Thu, 05 Dec 2013 15:02:30 +1100 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com CC: meissner@...e.de, Kurt Seifried <kseifrie@...hat.com> Subject: CVE needed for hplip insecure auto update feature? Hello, https://bugzilla.novell.com/show_bug.cgi?id=853405 talks about an upgrade feature in hplip downloading (via HTTP) a binary and executing it. Is a CVE needed for that? Along with the versions in <https://bugzilla.novell.com/show_bug.cgi?id=853405#c6>, the hplip 1.6.7 and hplip3 3.9.8 versions I looked at did not have the upgrade.py file in the source (newer version like 3.13.11 had it in the source but the RPM spec file looks to remove it at build time, so it is not provided in the binary RPMs). Thanks, -- Murray McAllister / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.