Hi! cc'd to freebsd-security@ as somebody there may correct me, cc'd to secteam@ as maintaner of security/portaudit. On Sun, 28 Aug 2005 10:14:21 +0930 Ian Moore wrote:> I've just updated my acroread port to 7.0.1 & was surprised when portaudit > still listed it as a vulnerability.I think it is portaudit problem.> According to freebsd.org/cgi/query-pr.cgi?pr=ports/85093, the > upgrade to 7.0.1 is suppoed to fix the problem, but according to > freebsd.org/ports/portaudit/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html > and Adobe's web site at adobe.com/support/techdocs/331710.html, > the problem exists in 7.0.1 as well, but is fixed in 7.0.2.> I'm just wondering who is right here, or am I missing something?It looks like you missed the platfom to pay attention to. For Linux and Solaris "users should upgrade to Adobe Reader 7.0.1"... WBR -- bsam
On 2005.08.28 14:56:11 +0400, Boris Samorodov wrote:> On Sun, 28 Aug 2005 10:14:21 +0930 Ian Moore wrote: > > > I've just updated my acroread port to 7.0.1 & was surprised when portaudit > > still listed it as a vulnerability.It is, at least based on the information we (Security Team) have.> I think it is portaudit problem. > > > According to freebsd.org/cgi/query-pr.cgi?pr=ports/85093, the > > upgrade to 7.0.1 is suppoed to fix the problem, but according to > > freebsd.org/ports/portaudit/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html > > and Adobe's web site at adobe.com/support/techdocs/331710.html, > > the problem exists in 7.0.1 as well, but is fixed in 7.0.2. > > > I'm just wondering who is right here, or am I missing something? > > It looks like you missed the platfom to pay attention to. For Linux > and Solaris "users should upgrade to Adobe Reader 7.0.1"...You are mixing up two different vulnerabilities [1]. The vulnerability fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow vulnerability" [2]. The vulnerability portaudit is warning you about is "acroread -- XML External Entity vulnerability" [3]. As far as I know Adobe has not released any fix for the Linux version of Adobe Reader for [3]. [1] vuxml.org/freebsd/pkg-acroread7.html [2] vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html [3] vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html -- Simon L. Nielsen FreeBSD Security Team -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : lists.freebsd.org/pipermail/freebsd-security/attachments/20050828/769fc66a/attachment.bin