Ludovico correct it is already fixed in 1.2.0 but in 1.2.1 we have improved the security checks
Luca On 10 Sep 2014, at 02:14, Ludovico Cavedon <cave...@debian.org> wrote: > Hi Luca, > > my understanding (supported by a simple test and code check) was that > CVE-2014-4329 was fixed in version 1.2.0 > https://svn.ntop.org/bugzilla/show_bug.cgi?id=379 > > However, as Salvatore noticed, it is announced as being fixed in version > 1.2.1. > > Can you confirm which version fixed it, please? > > Thanks, > Ludovico > > On Tue, Sep 9, 2014 at 11:06 AM, Salvatore Bonaccorso <car...@debian.org> > wrote: >> Source: ntopng >> Severity: grave >> Tags: security upstream fixed-upstream >> >> Hi Ludovico, >> >> Marking this bugreport as grave, as more information seem a bit >> scarce, so was not able to identify the issues. There is an upstream >> report [1] which mentions several fixes were done in ntopng 1.2.1. >> >> [1] http://www.ntop.org/ndpi/released-ndpi-1-5-1-and-ntopng-1-2-1/ >> >>> Fixes for >>> - CVE-2014-5464 >> >>> - CVE-2014-4329 >> >> Strangely this was marked as fixed in 1.2.0+dfsg1-1 in the security >> tracker at [2]. Is this information correct? >> >> [2] https://security-tracker.debian.org/tracker/CVE-2014-4329 >> >>> - CVE-2014-5511, CVE-2014-5512, CVE-2014-5513, CVE-2014-5514, >>> CVE-2014-5515 >> >> No information referenced for these in the advisory. >> >> Could you have a look at them and also clarify if CVE-2014-4329 >> version information is wrong in the tracker? >> >> Regards, >> Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
