lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <411E52F6.6070505@gentoo.org>
From: krispykringle at gentoo.org (Dan Margolis)
Subject: Re: [ GLSA 200408-10 ] gv: Exploitable Buffer Overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There seems to be some confusion regarding our recent gv buffer overflow
GLSA. This GLSA came on the heels of the following fake advisory, which
also reported a buffer overflow in gv[1]. That advisory contained
alleged exploit code that, in fact, contained a local DoS exploit.

The gv vulnerability reported and patched in GLSA 200408-10 is not the
same as this fictitious vulnerability. The vulnerability patched is the
same referred to in the CVE reference[2] included in the GLSA, a real
two-year old vulnerability in gv.

Please do not run the alleged exploit code listed in the fictigious gv
advisory, as it is a local DoS exploit. However, all information
contained in the GLSA is correct, and all Gentoo users should still
upgrade their gv installations to the latest available version.

This e-mail is merely meant to clarify some confusion that may have
resulted from bad information in the relevant Gentoo bug[3] and comments
on various security mailing lists. The information contained within the
GLSA is still valid, and therefore no official errata will be issued.

For more information on Gentoo security policies, please see Gentoo's
Vulnerability Policy[4].

[1] http://www.osvdb.org/displayvuln.php?osvdb_id=8399
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0838
[3] http://bugs.gentoo.org/show_bug.cgi?id=59385
[4] http://www.gentoo.org/security/en/vulnerability-policy.xml
- --
Dan Margolis ("KrispyKringle")
Gentoo Linux Security Coordinator
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iQEVAwUBQR5S9rDO2aFJ9pv2AQLl8wgAjoCOX80DmivzloyqB8XkwxD5R2LPqFRN
+2YK5hlMTi9PJNN/cC78Pvdm4vwH/M1HQJOWf4A9BoC0ERegcqANi/AqHJgw5CPu
0ZF3IjNqGwmBM7TRcuQErwpXWFiiOTHaev/AfAnkTWjhJuVLTgVJFz/f91kObY3r
ys8OugVhvpNUAgL6Sw4EmOAm8KR4bDYqLhmEkGowIbwMU9oG0HwwrXM9iXWokmcz
A/xrvCAbYWh1UVvwxdz7x5t4idW6c5qMgf4Oou/KmvjLRV0kf2gzp0GB8sFmjvUS
h38Pg5Fx2se38RxaU8tJKmWv9ze7aknnzTx1avq/QAvdmwpNsV7vxw==
=xDpJ
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ