Re: Arcoread7 secutiry vulnerability

From: Simon L. Nielsen (simon_at_FreeBSD.org)
Date: 08/28/05

  • Next message: Ian Moore: "Re: Arcoread7 secutiry vulnerability" 
    Date: Sun, 28 Aug 2005 23:02:21 +0200
To: Boris Samorodov <bsam@ipt.ru>

    On 2005.08.28 13:43:26 +0200, Simon L. Nielsen wrote:
    > On 2005.08.28 15:25:25 +0400, Boris Samorodov wrote:
    > > On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote:
    > >
    > > > You are mixing up two different vulnerabilities [1]. The vulnerability
    > > > fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow
    > > > vulnerability" [2]. The vulnerability portaudit is warning you about
    > > > is "acroread -- XML External Entity vulnerability" [3]. As far as I
    > > > know Adobe has not released any fix for the Linux version of Adobe
    > > > Reader for [3].
    > >
    > > > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html
    > > > [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html
    > > > [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html
    > >
    > > Well, I think that Linux version is not suffered from CAN-2005-1306:
    > > http://www.adobe.com/support/techdocs/331710.html
    > >
    > > Platforms affected are Windows and Mac OS. Am I missing something?
    >
    > Adobe does not list the Linux version as affected, but the original
    > reporter of the problem does list the Linux version as affected, at
    > http://shh.thathost.com/secadv/adobexxe/ . In these cases we prefer
    > err on the side of caution and will rather list a package as affected,
    > even if it's not, rather than not listing a package that turn out to
    > be affected.
    >
    > I have just written a mail to the original reporter of the problem to
    > try to clarify the issue.

    I just got a mail back from Sverre H. Huseby and he says that the
    Linux version indeed was affected, but 7.0.1 seems to be fixed, so I
    marked it as fixed in VuXML. 

    -- 
Simon L. Nielsen
FreeBSD Security Team

  • Next message: Ian Moore: "Re: Arcoread7 secutiry vulnerability"

    Relevant Pages

    • Re: Arcoread7 secutiry vulnerability
      ... >> know Adobe has not released any fix for the Linux version of Adobe ... err on the side of caution and will rather list a package as affected, ... I have just written a mail to the original reporter of the problem to ...
      (FreeBSD-Security)
    • Re: Used ones
      ... Simon wrote: ... > I'm looking to get a used portable computer, ... > technology in Linux (things to install/configure and then know how to ... when I got it I had a few issues with ACPI but those seem to have ...
      (comp.os.linux.portable)
    • Re: dtsrun - on another users computer with out installing more software on the machine
      ... Simon ... > have changed this to the server name and now its not finding the files ... Microsoft Data Transformation Services Package ... >> Your DTSRUN command refers to the SQL Server. ...
      (microsoft.public.sqlserver.dts)
    • Re: Computer rebooting by itself
      ... Simon L wrote: ... > I'm having some troubles with my computer, ... > used to have linux and I will install it very soon...)... ... I had random reboots also awhile back, but found out that it was ...
      (comp.os.linux.hardware)
    • Re: Resize (reduce) extended partition
      ... Simon ... "Gordon" wrote: ... A bit slower than a HDD install, ... > to give you a flavour of Linux ...
      (microsoft.public.windowsxp.general)
    Loading