thr3ads.net - Secure testing team - [Secure-testing-team] False positives from daily report [Jun 2006]

If this information is useful, please help other people find it:
Share via:

Julien Goodwin

2006-Jun-24 18:29 UTC

[Secure-testing-team] False positives from daily report

CVE-2006-0146 The server.php test script in ADOdb for PHP before...
  <http://idssi.enyo.de/tracker/CVE-2006-0146>
  - cacti (remotely exploitable)

CVE-2006-0147 Dynamic code evaluation vulnerability in...
  <http://idssi.enyo.de/tracker/CVE-2006-0147>
  - cacti (remotely exploitable)

(on a fully updated etch system)

This should be listed as fixed for etch and sid as well from version
0.8.6d-1 (First version where adodb code removed from source tarball).

That, or your daily report script fixed not to show this.

Also:
CVE-2006-0456 kernel: strlen_user() DoS on s390
  <http://idssi.enyo.de/tracker/CVE-2006-0456>
  - linux-headers-2.6.15-1-686-smp, linux-image-2.6-686-smp,
    linux-image-2.6.15-1-686-smp, linux-headers-2.6.15-1,
    linux-headers-2.6-686-smp
Would be nice if arch-specific issues (rare as I''m sure they are) could
be hidden if appropriate.

Thanks,
Julien


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060625/95a5239f/signature.pgp

Florian Weimer

2006-Jun-25 10:55 UTC

head link

[Secure-testing-team] False positives from daily report

* Julien Goodwin:
> This should be listed as fixed for etch and sid as well from version
> 0.8.6d-1 (First version where adodb code removed from source tarball).
AFAICT, this has been fixed.
> Also:
> CVE-2006-0456 kernel: strlen_user() DoS on s390
>   <http://idssi.enyo.de/tracker/CVE-2006-0456>
>   - linux-headers-2.6.15-1-686-smp, linux-image-2.6-686-smp,
>     linux-image-2.6.15-1-686-smp, linux-headers-2.6.15-1,
>     linux-headers-2.6-686-smp
> Would be nice if arch-specific issues (rare as I''m sure they are)
could
> be hidden if appropriate.
We usually track bugs by their source packages.  Basically, there are
two reasons: The security team creates updates based on them, and
binary package names (and versions, or the source package they are
built from) can vary from architecture to architecture.  I know that
this approach has drawbacks, but it''s still rather brittle, and I want
to fix that before adding extensions to better deal with
architecture-specific vulnerabilities.

Secure testing team - Jun 2006 - False positives from daily report

[Secure-testing-team] False positives from daily report

[Secure-testing-team] False positives from daily report