Hi, About three weeks ago, on this page http://www.novell.com/linux/security/advisories/2005_01_sr.html in it's header as 'pending' there was something mentioned as "wget file overwrite problems"; which in fact was not described in details. Could you please provide more information on that; is there any fix in process, and which SUSE versions are affected? Thanks in advance, Pelibali
On Sun, Feb 06, 2005 at 05:52:28PM +0100, pelibali wrote:
Hi,
About three weeks ago, on this page http://www.novell.com/linux/security/advisories/2005_01_sr.html in it's header as 'pending' there was something mentioned as "wget file overwrite problems"; which in fact was not described in details.
Could you please provide more information on that; is there any fix in process, and which SUSE versions are affected?
There is no patch yet. Its also not that critical to hurry. - evil remote servers can overwrite files in one directory up from the current one. You usually do not download from evil servers. Ciao, Marcus
On Sun, Feb 06, 2005 at 06:49:17PM +0100, Marcus Meissner wrote:
There is no patch yet. Its also not that critical to hurry. - evil remote servers can overwrite files in one directory up from the current one. You usually do not download from evil servers.
I download quite a lot of stuff from servers where I can't be sure that they aren't evil. In fact, I probably do half of my downloads with konqueror, the other half with wget. What I find interesting is, that in the latest security advisory, there's the passage 2) pending vulnerabilities, solutions, workarounds: - None. How does this match with the wget problem? Is this an oversight or some misunderstanding in the interpretation of this message? ciao Joerg PS: I probably should have started my mail with this: You are doing a good job with the advisories and keeping us informed - it feels to me things have improved significantly since you took over (but there seems to be some room for improvement too, see above ;) -- Joerg Mayer <jmayer@loplof.de> We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology.
On Sun, Feb 06, 2005 at 07:04:22PM +0100, Joerg Mayer wrote:
On Sun, Feb 06, 2005 at 06:49:17PM +0100, Marcus Meissner wrote:
There is no patch yet. Its also not that critical to hurry. - evil remote servers can overwrite files in one directory up from the current one. You usually do not download from evil servers.
I download quite a lot of stuff from servers where I can't be sure that they aren't evil. In fact, I probably do half of my downloads with konqueror, the other half with wget.
What I find interesting is, that in the latest security advisory, there's the passage
2) pending vulnerabilities, solutions, workarounds: - None.
How does this match with the wget problem? Is this an oversight or some misunderstanding in the interpretation of this message?
ciao Joerg
PS: I probably should have started my mail with this: You are doing a good job with the advisories and keeping us informed - it feels to me things have improved significantly since you took over (but there seems to be some room for improvement too, see above ;)
It is still open. The summary takes like 2 hours which I have barely the time to spare sometimes ;) I tend to list only critical vulnerabilities there currently. Ciao, Marcus
Hi, On Sun, 6 Feb 2005 19:04:22 +0100 Joerg Mayer <.> wrote: ...
What I find interesting is, that in the latest security advisory, there's the passage
2) pending vulnerabilities, solutions, workarounds: - None.
How does this match with the wget problem? Is this an oversight or some misunderstanding in the interpretation of this message?
ciao Joerg
PS: I probably should have started my mail with this: You are doing a good job with the advisories and keeping us informed - it feels to me things have improved significantly since you took over (but there seems to be some room for improvement too, see above ;)
I also think, that there were many improvements, and the general picture of SUSE's security strategy got much better. Really. In the same time I think the problem was mostly with that particular report http://www.novell.com/linux/security/advisories/2005_01_sr.html , where the thread-starting wget vulnarability was mentioned, but not described at all. If you look at the header info of that report, and compare that to it's body, you will see, what I mean. This can happen of course with all of us, but for me the strangest were also the few lines you quoted previously, as there would be no more pending vulns... Best regards, Pelibali Ps. Independently, how this minor wget-story ends, we should CONGRAT to Marcus and his team: e.g. for 9.1 there were 75 (!) YOU rpm-packages released in January 2005, if we don't count the duplicates... Nice job!
participants (3)
-
Joerg Mayer -
Marcus Meissner -
pelibali