[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [oss-security] Re: [OVSA20121112] OpenVAS Manager Vulnerable To Command Injection
- To: Tim Brown <timb@xxxxxxxxxxx>, Michael Wiegand <michael.wiegand@xxxxxxxxxxxxx>
- Subject: Re: [oss-security] Re: [OVSA20121112] OpenVAS Manager Vulnerable To Command Injection
- From: Jan Lieskovsky <jlieskov@xxxxxxxxxx>
- Date: Wed, 14 Nov 2012 05:12:01 -0500 (EST)
Hello Tim,
thank you for the heads up and notification.
The versions of openvas-manager package, as shipped with Fedora release of 16
and release of 17 is based on upstream 2.0.5 version yet. From what I have
looked
and can tell from upstream advisory and patch (for 3.0.X version):
[1] http://www.openvas.org/OVSA20121112.html
[2]
http://wald.intevation.org/scm/viewvc.php?view=rev&root=openvas&revision=14437
the CVE-2012-5520 does not seem to be applicable to OpenVAS-4 / openvas-manager
2.0.5
version yet:
[3]
http://lists.wald.intevation.org/pipermail/openvas-announce/2012-August/000140.html
But prior definitely classifying Fedora 16 and Fedora 17 openvas-manager
package versions
as not vulnerable to this issue, I would like to hear opinion / confirmation
from someone
more familiar with OpenVAS code.
So could you confirm the CVE-2012-5520 wouldn't affect OpenVAS-4 2.0.X version
(yet)?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
----- Original Message -----
Doh, a document gets proof read by multiple people and yet it contains a
mistake. In the Current Status section of the advisory, the date is
incorrect. A corrected advisory is attached.
Tim
--
Tim Brown
<mailto:timb@openvas,org>
<http://www.openvas.org/>