[DebianGIS-dev] Bug#523027: [oss-security] incorrect upstream fix for CVE-2009-0840 (mapserver)
Nico Golde
oss-security+ml at ngolde.de
Wed Jul 1 17:41:05 UTC 2009
Hi,
* Steven M. Christey <coley at linus.mitre.org> [2009-07-01 13:43]:
> On Mon, 22 Jun 2009, Nico Golde wrote:
>
> > I'm not sure if this should get a new CVE id but the versions in the CVE id
> > description should be adjusted and the upstream patch revised.
>
> This looks like even though there was a source code modification, the
> previous issue was not fixed at all. That is, any attack that would have
> worked before the fix, will still work after the fix.
>
> However, Fedora FEDORA-2009-3383 at least claims a fix for CVE-2009-0840,
> so a new CVE is probably in order to "signal" to admins that they have
> another issue to handle.
>
> Use CVE-2009-2281 for the "new" issue. What versions are affected by
> this?
Should be every currently available release, I'm currently
working with upstream on a better fix.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-grass-devel/attachments/20090701/d1875abb/attachment.pgp>
More information about the Pkg-grass-devel
mailing list