SCIENTIFIC-LINUX-USERS Archives

April 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: ImageMagick v6.0.7.1 exploitable?
From:
"Alan J. Flavell" <[log in to unmask]>
Reply To:
Alan J. Flavell
Date:
Fri, 14 Apr 2006 12:12:04 +0100
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (28 lines) 
On Fri, 14 Apr 2006, Michael Mansour wrote:

> They reference the link:
> 
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-1739
> 
> which shows that this is remotely exploitable.

Which, as you can see, in turn points to 

http://rhn.redhat.com/errata/RHSA-2005-480.html

which shows the fixes.


This is, I think, an example of a long-standing problem with 
vulnerability testers.  I've met it repeatedly with nessus, for 
example, which was forever reporting vulnerabilities in software 
packages to which we had already applied the relevant fixes.

The testers check the original version code of the product, and 
report vulnerability on that basis.  However, RH do not change the 
original version code of the product when they distribute security 
fixes: instead they append a suffix code in the RPM designation, but 
retain the original version code of the software.

regards

ATOM RSS1 RSS2