Re: tkman stable update for CVE-2008-5137
Hola Nico Golde!
El 30/11/2008 a las 10:44 escribiste:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for tkman some time ago.
> CVE-2008-5137[0]:
> | tkman in tkman 2.2 allows local users to overwrite arbitrary files via
> | a symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary
> | file.
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable. It does
> not warrant a DSA.
> However it would be nice if this could get fixed via a regular point update[1].
> Please contact the release team for this.
> This is an automatically generated mail, in case you are already working on an
> upgrade this is of course pointless.
> For further information:
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5137
> [1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
I've just uploaded a patched version (2.2-4), I'll be happy if someone reviews
the patch.
--
A computer scientist is someone who, when told to "Go to Hell,"
sees the "go to," rather than the destination, as harmful.
Saludos /\/\ /\ >< `/
Reply to: