Bugzilla – Full Text Bug Listing |
Summary: | VUL-0: CVE-2004-1182: hylafax: auth bypass | ||
---|---|---|---|
Product: | [Novell Products] SUSE Security Incidents | Reporter: | Thomas Biege <thomas> |
Component: | Incidents | Assignee: | Security Team bot <security-team> |
Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
Severity: | Normal | ||
Priority: | P3 - Medium | CC: | patch-request, security-team |
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | CVE-2004-1182: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) | ||
Found By: | --- | Services Priority: | |
Business Priority: | Blocker: | --- | |
Marketing QA Status: | --- | IT Deployment: | --- |
Attachments: |
hylafax-auth-bypass.diff
patchinfo.hfax patchinfo-box.hfax hylafax.patch.box hylafax.patch.maintained |
Description
Thomas Biege
2004-12-31 21:57:06 UTC
<!-- SBZ_reproduce --> - Created attachment 27335 [details]
hylafax-auth-bypass.diff
swamp id 94 ... access rights of this bug don't seem to be adequate, as this vulnerability isn't public, yet. Make it internal for now - don't know whether this is the right set of rights. internal is ok. it should not have been created with SUSELinux access. Thanks for fixng the access rights. "SUSELinux" was appropriate in the past too. CAN-2004-1182 Created attachment 27454 [details]
patchinfo.hfax
Created attachment 27455 [details]
patchinfo-box.hfax
Please verify the patch files before submitting them. It's public now. What's the status Karsten? I did wait for the offical release 2.1 (which has the already the fix IMHO) which was released yesterday. I'm preparing a new package next week, which is some more work, since I want also split hylafax into client/server packages. You know that you can't split a package in an update, don't you? And that version updates are strongly discouraged for updates? Karsten please backport only the security fix for the maintained distributions. That work is independent from what you plan to do in STABLE. Ok, misunderstanding: The product of this BUG is 9.3pre, not any released products. Yes I can backport it to released maintanance products: SLES9-NLD SLES8-SLEC SLES8-SSLS SLES8-SLSTD and maybe also make a 9.2 BOX update (aj ?). Should I also checkin a update for SLES9 to cover possible new SLES9 products, or is that done automaticly with the SLES9-NLD checkin ? OK, I mbuild all updates above and put them into /work/src/done If I should prepare also updates for older BOX products, this is no problem. yes, we need updates for 8.1-9.2. For security bugs the bugzilla product setting usually has no meaning. OK, now are packages done/8.1-9.2 and in the sles products I suppose the additional constraints that are according to the original report placed on entries in the config file after the fix also apply to our packages, correct? the subpackage capi4hylafax is not affected by this fix, correct? Created attachment 27649 [details]
hylafax.patch.box
Created attachment 27650 [details]
hylafax.patch.maintained
#19: no the config files are not touched yet #20: yes capi4hylafax is not affected so are the additional notes I added to the patchinfos required or not? They are required, since this is not documented elsewhere. updates released. CVE-2004-1182: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |