[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: incomplete fix for CVE-2010-1000 in
From: Josh Bressers <bressers () redhat ! com>
Date: 2011-04-15 18:52:34
Message-ID: 889145794.11829.1302893554457.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
Please use CVE-2011-1586
Thanks.
--
JB
----- Original Message -----
> A bug was filed in Ubuntu[1] for patches[2][3] that went into KDE
> Network for an incomplete fix for CVE-2010-1000. The commit message
> is:
>
> "Further addresses CVE-2010-1000. The file name of Metalink File is
> checked a better way, making it work under more conditions."
>
> While the previous patch fixed things like '../../tmp/gotcha', it did
> not fix a single leading '../'.
>
> [1]https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/757526
> [2]http://websvn.kde.org/?view=revision&revision=1227468 (4.4)
> [3]http://websvn.kde.org/?view=revision&revision=1227469 (4.5)
>
> --
> Jamie Strandboge | http://www.canonical.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic