Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
From: Thijs Kinkhorst <kink@squirrelmail.org>
Date: Mon, 09 Jan 2006 14:32:18 +0100
Message-id: <[🔎] 43C265E2.4080905@squirrelmail.org>
In-reply-to: <E1EvxQN-00066a-70@klecker.debian.org>
References: <E1EvxQN-00066a-70@klecker.debian.org>

Michael Stone wrote:

Vulnerability  : format string attack
Problem-Type   : local
Debian-specific: no
CVE ID         : CVE-2006-0083

Ulf Harnhammar from the Debian Security Audit project discovered a
format string attack in the logging code of smstools, which may be
exploited to execute arbitary code with root privileges.

The old stable distribution (woody) does not contain smstools package.

For the stable distribution (sarge) this problem has been fixed in
version 1.14.8-1sarge0.

For the unstable distribution the package will be updated shortly.

It's great to hear that unstable will be fixed soon, but why wasn'tthere a grave bug filed against the package? If for some reason themaintainer misses this DSA, it is lateron unknown that the version inunstable is vulnerable and still needs to be fixed...



Thijs

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
  - From: Martin Zobel-Helas <zobel@ftbfs.de>
- Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
  - From: Steve Kemp <skx@debian.org>
- Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: Hi honey. It is of course Cutey Julie
Next by Date: Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
Previous by thread: Re: Hi honey. It is of course Cutey Julie
Next by thread: Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
Index(es):
- Date
- Thread