Re: Arcoread7 secutiry vulnerability

From: Ian Moore (imoore_at_swiftdsl.com.au)
Date: 08/29/05

  • Next message: Cy Schubert: "Re: New FreeBSD Security Officer" 
    To: "Simon L. Nielsen" <simon@freebsd.org>
Date: Mon, 29 Aug 2005 20:23:01 +0930

    On Monday 29 August 2005 06:32, Simon L. Nielsen wrote:
    > On 2005.08.28 13:43:26 +0200, Simon L. Nielsen wrote:
    > > On 2005.08.28 15:25:25 +0400, Boris Samorodov wrote:
    > > > On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote:
    > > > > You are mixing up two different vulnerabilities [1]. The
    > > > > vulnerability fixed by the 7.0.1 upgrade was "acroread -- plug-in
    > > > > buffer overflow vulnerability" [2]. The vulnerability portaudit is
    > > > > warning you about is "acroread -- XML External Entity vulnerability"
    > > > > [3]. As far as I know Adobe has not released any fix for the Linux
    > > > > version of Adobe Reader for [3].
    > > > >
    > > > > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html
    > > > > [2]
    > > > > http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.htm
    > > > >l [3]
    > > > > http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.htm
    > > > >l
    > > >
    > > > Well, I think that Linux version is not suffered from CAN-2005-1306:
    > > > http://www.adobe.com/support/techdocs/331710.html
    > > >
    > > > Platforms affected are Windows and Mac OS. Am I missing something?
    > >
    > > Adobe does not list the Linux version as affected, but the original
    > > reporter of the problem does list the Linux version as affected, at
    > > http://shh.thathost.com/secadv/adobexxe/ . In these cases we prefer
    > > err on the side of caution and will rather list a package as affected,
    > > even if it's not, rather than not listing a package that turn out to
    > > be affected.
    > >
    > > I have just written a mail to the original reporter of the problem to
    > > try to clarify the issue.
    >
    > I just got a mail back from Sverre H. Huseby and he says that the
    > Linux version indeed was affected, but 7.0.1 seems to be fixed, so I
    > marked it as fixed in VuXML.

    Thanks for clearing that up!

    Cheers, 

    -- 
Ian Moore
GPG Key: http://home.swiftdsl.com.au/~imoore/imoore-swift.asc

  • Next message: Cy Schubert: "Re: New FreeBSD Security Officer"

    Relevant Pages

    • Re: Arcoread7 secutiry vulnerability
      ... >> know Adobe has not released any fix for the Linux version of Adobe ... err on the side of caution and will rather list a package as affected, ... I have just written a mail to the original reporter of the problem to ...
      (FreeBSD-Security)
    • Re: Reporting bugs and bisection (was: Re: 2.6.25-rc8: FTP transfer errors)
      ... the bug reporter to find the fault change ... That's because many Linux bugs are dependent upon the ... and developers cannot reproduce the failure on ... closely with the reporter working out why the reporter's failure was ...
      (Linux-Kernel)
    • Re: Open Office
      ... Portableapps.com's official release of each package is usually a minor release ... RE: linux. ... Especially as WINE (the windows emulator that lets you run windows programs) ... install on Linux will average 10x as long as on winders. ...
      (rec.outdoors.rv-travel)
    • Re: Two ways Microsoft sabotages Linux desktop adoption (warning: long rant follows)
      ... Windows also are easy to install. ... it just added another package manager to the list. ... Linux, as a community, is serious business and able to help them make ... that true teamwork can win. ...
      (Fedora)
    • Trust issues with RH and Debian package managers
      ... Joe told me that he has been following the Magic Lantern ... the proposed new FBI policy regarding searches of premises requires agents ... machines into accepting a trojaned version of the new wu-ftpd package. ... Linux distributions need to band together and find a trusted individual who ...
      (Bugtraq)