Hi, According to http://www.securiteam.com/unixfocus/6Y0041F6AA.html, there is a buffer overflow in Cyrus Imapd <= 2.1.10. Since this package is delivered with SuSE 8.1, I'd like to know when a fix will be out. Probably you already know this and are doing a full audit, but there was no notice in the last announcement about this one. I'm also worried about the kernel update. There is one available, but according to information in the update directory, it doesn't contain security fixes. Why? One last word to cyrus: Why can't i do rpm -bb cyrus-imapd.spec, even if all programs listed there are installed? There is some link error with ucdsnmp. I found a hint, that --disable-ucdsnmp fixes this. It worked, but how can you at SuSE build the packages? There is only one ucdsnmp package (not even a -devel one), so I'm rather confused. I think that a page with known vulnerabilities in SuSE Products would be a very-nice-to-have thing. I don't mean those, that are kept secret (for whatever reason), but the others that have been published elsewhere already (like this one). I know, it takes some time to check whether a vulnerability exists. But this is the place where the community can come to play. I'm sure there are a lot of capable users and admins here on suse-security who are willing to test in such a way. In conjunction with a public bugtracking system , this could give necessary information about vulnerabilities in a very short time. (I'm not thinking about bugzilla, which is an ugly and huge beast, but something more cute) Please note again, I'm only talking about published vulnerabilities here and don't want to interfer with those that are found by SuSE auditors or other people, who are closely working together with vendors and distributors (there have been some discussions about this, which I want to prevent). kind regards, Markus Gaugusch -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Markus, I asked about this last Tuesday (I think). Roman posted a message (Friday?) that a patch is being worked on atm. As for a page with known vulnerabilities: do you mean something like: http://www.suse.com/us/private/support/security/index.html ? HTH Stefan On Monday 09 December 2002 23:03, Markus Gaugusch wrote:
Hi, According to http://www.securiteam.com/unixfocus/6Y0041F6AA.html, there is a buffer overflow in Cyrus Imapd <= 2.1.10. Since this package is delivered with SuSE 8.1, I'd like to know when a fix will be out.
Probably you already know this and are doing a full audit, but there was no notice in the last announcement about this one. I'm also worried about the kernel update. There is one available, but according to information in the update directory, it doesn't contain security fixes. Why?
One last word to cyrus: Why can't i do rpm -bb cyrus-imapd.spec, even if all programs listed there are installed? There is some link error with ucdsnmp. I found a hint, that --disable-ucdsnmp fixes this. It worked, but how can you at SuSE build the packages? There is only one ucdsnmp package (not even a -devel one), so I'm rather confused.
I think that a page with known vulnerabilities in SuSE Products would be a very-nice-to-have thing. I don't mean those, that are kept secret (for whatever reason), but the others that have been published elsewhere already (like this one). I know, it takes some time to check whether a vulnerability exists. But this is the place where the community can come to play.
I'm sure there are a lot of capable users and admins here on suse-security who are willing to test in such a way. In conjunction with a public bugtracking system , this could give necessary information about vulnerabilities in a very short time. (I'm not thinking about bugzilla, which is an ugly and huge beast, but something more cute)
Please note again, I'm only talking about published vulnerabilities here and don't want to interfer with those that are found by SuSE auditors or other people, who are closely working together with vendors and distributors (there have been some discussions about this, which I want to prevent).
kind regards, Markus Gaugusch
I asked about this last Tuesday (I think). Roman posted a message (Friday?) that a patch is being worked on atm. Yeah, I knew there was something, but didn't find it again :( As for a page with known vulnerabilities: do you mean something like: http://www.suse.com/us/private/support/security/index.html This only contains announcements. Usually SuSE doesn't write an announcement without fixed packages to announce. What I'm missing is a "pending vulnerabilities" list. According to my suggestion, this list would NOT be done by SuSE people, but by us. This would take some work off from them (although very little), but everything would be more transparent.
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
participants (2)
-
Markus Gaugusch -
Stefan Suurmeijer