On Wed, 25 Nov 2009, Nico Golde wrote:
the following CVE (Common Vulnerabilities & Exposures) id was
published for dstat.
CVE-2009-3894[0]:
| dstat is looking for plugins in the current working directory which allows an
| attack to place malicious plugin content into a directory the victim calls
| dstat from (e.g. /tmp)
A CVE description is not yet public, so you might still see RESERVED on the
mitre website. This exploit scenario is rather constructed in my opinion
though there is the possibility to exploit people with that and it would be
nice to get it fixed.
Patch by Robert Buchholz attached.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3894
http://security-tracker.debian.org/tracker/CVE-2009-3894
Please consider moving to Dstat 0.7.0 for unstable, which was
released today as part of the disclosure.
Kind regards,
--
-- dag wieers, d...@wieers.com, http://dag.wieers.com/ --
[Any errors in spelling, tact or fact are transmission errors]
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
