From owner-freebsd-security@FreeBSD.ORG Sun Aug 28 11:43:28 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A82216A41F; Sun, 28 Aug 2005 11:43:28 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2105643D46; Sun, 28 Aug 2005 11:43:28 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id D21C211A5F; Sun, 28 Aug 2005 13:43:26 +0200 (CEST) Date: Sun, 28 Aug 2005 13:43:26 +0200 From: "Simon L. Nielsen" To: Boris Samorodov Message-ID: <20050828114326.GE854@zaphod.nitro.dk> References: <200508281014.29868.imoore@swiftdsl.com.au> <87188868@srv.sem.ipt.ru> <20050828111317.GC854@zaphod.nitro.dk> <21107114@srv.sem.ipt.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZInfyf7laFu/Kiw7" Content-Disposition: inline In-Reply-To: <21107114@srv.sem.ipt.ru> User-Agent: Mutt/1.5.9i Cc: Ian Moore , freebsd-security@FreeBSD.org, trevor@freebsd.org, secteam@FreeBSD.org Subject: Re: Arcoread7 secutiry vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2005 11:43:28 -0000 --ZInfyf7laFu/Kiw7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.08.28 15:25:25 +0400, Boris Samorodov wrote: > On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote: > > > You are mixing up two different vulnerabilities [1]. The vulnerability > > fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow > > vulnerability" [2]. The vulnerability portaudit is warning you about > > is "acroread -- XML External Entity vulnerability" [3]. As far as I > > know Adobe has not released any fix for the Linux version of Adobe > > Reader for [3]. >=20 > > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html > > [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.h= tml > > [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.h= tml >=20 > Well, I think that Linux version is not suffered from CAN-2005-1306: > http://www.adobe.com/support/techdocs/331710.html >=20 > Platforms affected are Windows and Mac OS. Am I missing something? Adobe does not list the Linux version as affected, but the original reporter of the problem does list the Linux version as affected, at http://shh.thathost.com/secadv/adobexxe/ . In these cases we prefer err on the side of caution and will rather list a package as affected, even if it's not, rather than not listing a package that turn out to be affected. I have just written a mail to the original reporter of the problem to try to clarify the issue. --=20 Simon L. Nielsen FreeBSD Security Team --ZInfyf7laFu/Kiw7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDEaNeh9pcDSc1mlERAszVAKCPh5JmphoXHtrsmMix7F7kZ/nARQCgmqKS fJmb0ksDMqLLiGF+ExsYj84= =eVdN -----END PGP SIGNATURE----- --ZInfyf7laFu/Kiw7--