lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1334130169.31461174.1352887921077.JavaMail.root@redhat.com>
Date: Wed, 14 Nov 2012 05:12:01 -0500 (EST)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: Tim Brown <timb@...nvas.org>,
	Michael Wiegand <michael.wiegand@...enbone.net>
Cc: oss-security@...ts.openwall.com, full-disclosure@...ts.grok.org.uk,
	Michal Ambroz <rebus@...nam.cz>, bugtraq@...urityfocus.com
Subject: Re: [oss-security] Re: [OVSA20121112] OpenVAS
 Manager Vulnerable To Command Injection

Hello Tim,

  thank you for the heads up and notification.

The versions of openvas-manager package, as shipped with Fedora release of 16
and release of 17 is based on upstream 2.0.5 version yet. From what I have looked
and can tell from upstream advisory and patch (for 3.0.X version):
[1] http://www.openvas.org/OVSA20121112.html
[2] http://wald.intevation.org/scm/viewvc.php?view=rev&root=openvas&revision=14437

the CVE-2012-5520 does not seem to be applicable to OpenVAS-4 / openvas-manager 2.0.5
version yet:
[3] http://lists.wald.intevation.org/pipermail/openvas-announce/2012-August/000140.html

But prior definitely classifying Fedora 16 and Fedora 17 openvas-manager package versions
as not vulnerable to this issue, I would like to hear opinion / confirmation from someone
more familiar with OpenVAS code.

So could you confirm the CVE-2012-5520 wouldn't affect OpenVAS-4 2.0.X version (yet)?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

----- Original Message -----
Doh, a document gets proof read by multiple people and yet it contains a 
mistake.  In the Current Status section of the advisory, the date is 
incorrect.  A corrected advisory is attached.

Tim
-- 
Tim Brown
<mailto:timb@...nvas,org>
<http://www.openvas.org/>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ