[unconfirmed] new atftp vulnerabilities

To: debian-security@lists.debian.org
Subject: [unconfirmed] new atftp vulnerabilities
From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>
Date: Mon, 16 Jun 2003 16:17:13 -0500 (CDT)
Message-id: <[🔎] Pine.GSO.4.40.0306161605120.5555-100000@deneb.cc.umanitoba.ca>

I'm writing [unconfirmed] now when I've found new advisories or bugs but
haven't had time to fully research them and see if they really are
vulnerabilities and whether Debian is vulnerable (potato, woody, sarge,
sid). It seems that since mdz has been put on the Security Team proper
that he's released DSA's just after I find the bids or, advisories or
speculation of bugs. This is likely co-incedental, but nice to see the
spead at which advisories are released.

http://www.securityfocus.com/bid/7902/discussion/
http://www.securityfocus.com/bid/7906/discussion/
http://www.securityfocus.com/bid/7907/discussion/ say: "It should be
noted that although this vulnerability has been reported to affect atftp
version 0.7cvs, other versions might also be vulnerable."

Without spending too much time on this I can say that I doubt the security
advisory addresses these bid's which came out after it, and at least two
of them are local buffer overflows which I'm not sure would even be
vulnerabilities if atftp is not setup setuid/setgid... I also may have
accidentaly included the bid that was fixed in the list of three.

     Drew Daniels

Reply to:

Prev by Date: Re: 1/2 Price Omaha Steaks Plus 3 FREE Gifts!
Next by Date: Re: [SECURITY] [DSA-320-1] New mikmod packages fix buffer overflow
Previous by thread: Re: 1/2 Price Omaha Steaks Plus 3 FREE Gifts!
Next by thread: Re: [SECURITY] [DSA-320-1] New mikmod packages fix buffer overflow
Index(es):
- Date
- Thread