On Tue, Dec 16, 2008 at 09:32:07PM +0100, Steffen Joeris wrote:
> Package: netdisco-mibs-installer
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for netdisco-mibs-installer.
> 
> CVE-2008-5379[0]:
> | netdisco-mibs-installer 1.0 allows local users to overwrite arbitrary
> | files via a symlink attack on the /tmp/netdisco-mibs-0.6.tar.gz
> | temporary file, related to the (1) netdisco-mibs-install and (2)
> | netdisco-mibs-download scripts.
> 
> The best way is to use mktemp in shell scripts, which should work for
> this package too.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

What's the status? This security issue is open for a year now!

Cheers,
        Moritz



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to