Re: smokeping DLA test

To: Antoine Beaupré <anarcat@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: smokeping DLA test
From: Niko Tyni <ntyni@debian.org>
Date: Thu, 26 Nov 2015 21:28:16 +0200
Message-id: <[🔎] 20151126192816.GA4353@estella.local.invalid>
In-reply-to: <[🔎] 87io4oajh7.fsf@marcos.anarc.at>
References: <[🔎] 871tbeasxn.fsf@marcos.anarc.at> <[🔎] 20151126125709.GA3942@estella.local.invalid> <[🔎] 87poywakhx.fsf@marcos.anarc.at> <[🔎] 87io4oajh7.fsf@marcos.anarc.at>

On Thu, Nov 26, 2015 at 10:06:12AM -0500, Antoine Beaupré wrote:
> On 2015-11-26 09:44:10, Antoine Beaupré wrote:
> > Maybe I can rebuild the package with just CVE-2013-4168?
> 
> On the other hand... does the fix break anything? It seems just like a
> nice precaution...

I expect it doesn't break anything (but I haven't really seen the
patch...) So if you're making an update anyway I suppose it's OK
to include that.

I haven't found any details about the vulnerability so I'm not clear on
the attack vector from running the CGI on an arbitrary config file to
running arbitrary commands on the server.  My guess is it additionally
needs a file upload facility or some other vulnerability, but maybe I'm
missing something.
-- 
Niko Tyni   ntyni@debian.org

Reply to:

References:
- smokeping DLA test
  - From: Antoine Beaupré <anarcat@debian.org>
- Re: smokeping DLA test
  - From: Niko Tyni <ntyni@debian.org>
- Re: smokeping DLA test
  - From: Antoine Beaupré <anarcat@debian.org>
- Re: smokeping DLA test
  - From: Antoine Beaupré <anarcat@debian.org>

Prev by Date: Re: Packages with issues against mysql-5.5 and dbconfig-common (was: Testing mysql-5.5 on squeeze)
Next by Date: Re: smokeping DLA test
Previous by thread: Re: smokeping DLA test
Next by thread: Re: smokeping DLA test
Index(es):
- Date
- Thread