Subject: | |
From: | |
Reply To: | Alan J. Flavell |
Date: | Fri, 14 Apr 2006 12:12:04 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
On Fri, 14 Apr 2006, Michael Mansour wrote:
> They reference the link:
>
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-1739
>
> which shows that this is remotely exploitable.
Which, as you can see, in turn points to
http://rhn.redhat.com/errata/RHSA-2005-480.html
which shows the fixes.
This is, I think, an example of a long-standing problem with
vulnerability testers. I've met it repeatedly with nessus, for
example, which was forever reporting vulnerabilities in software
packages to which we had already applied the relevant fixes.
The testers check the original version code of the product, and
report vulnerability on that basis. However, RH do not change the
original version code of the product when they distribute security
fixes: instead they append a suffix code in the RPM designation, but
retain the original version code of the software.
regards
|
|
|