Subject: pkg/19157: audit-packages vulnerability list inaccurate for recent samba bug
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jtk@kolvir.arlington.ma.us>
List: netbsd-bugs
Date: 11/24/2002 21:35:01
>Number: 19157
>Category: pkg
>Synopsis: audit-packages vulnerability list inaccurate for recent samba bug
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Nov 24 18:36:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: John Kohl
>Release: NetBSD 1.6_STABLE
>Organization:
NetBSD Kernel Hackers `R` Us
>Environment:
System: NetBSD kolvir.arlington.ma.us 1.6_STABLE NetBSD 1.6_STABLE (KOLVIR-$Revision: 1.51 $) #18: Fri Nov 1 22:29:05 EST 2002 jtk@kolvir.arlington.ma.us:/usr/u4/sandbox/src/sys/arch/i386/compile/KOLVIR i386
Architecture: i386
Machine: i386
>Description:
The new vulnerability has an apparent false positive on samba-2.0.10.
The web page says the bug is in 2.2.2 through 2.2.6, not mentioning
2.0.x.
>How-To-Repeat:
%/usr/pkg/sbin/audit-packages
Package samba-2.0.10 has a remote-root-shell vulnerability, see http://www.samba.org/samba/whatsnew/samba-2.2.7.html
>Fix:
express the vulnerability as samba-2.2.[23456] should do it.
(is there a syntax for greater than release x and less than release y ?)
>Release-Note:
>Audit-Trail:
>Unformatted: