severity 301430 serious tags 301430 + patch tags 301430 + upstream tags 301430 + security thanks
On Thu, Mar 31, 2005 at 08:46:41PM -0500, Hubert Chan wrote: > I believe this bug is fixed by two patches that can be found at: > http://uw-dig.uwaterloo.ca/~hy3chan/patches/openmosixview/1.5/ > (patches 20-logdirectory.diff and 50-nonodestmp.diff). I think > that they should apply cleanly without the other patches -- probably > at worst with some fuzz. I'm trying to confirm with the people who > originally reported the vulnerability to check that the patches do > indeed fix the issues that they reported, but I'm pretty sure they do. > > The patches found there (except for 99debian.diff) have already been > accepted by upstream for inclusion in the next release of > openMosixView. > > 20-logdirectory.diff may break other software that depends on a > predictable location for the openMosixViewCollector logs (such as > openMosixWebView, not included in Debian, and I think that > openMosixWebView has been changed to check both locations). But I > don't think there's any other way around it -- besides, upstream is > already going to implement the change in the next release. > > For reference, my mail to Rexotec (the original reporters) and the > openMosixView mailing list can be found at: > http://sourceforge.net/mailarchive/message.php?msg_id=11330106 > Nice news. I'll keep an eye to the proposed patches before committing. The symlink exploit should be obviously manageable. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
