Hi Justin: Thanks for bringing this to our attention. I'm at SC this week but once I'm back I'll have a look at this issue to see whether it is still valid for our latest released version(s).
Cheers, Bernard On Wed, Nov 18, 2009 at 11:26 AM, Justin Moninger <[email protected]> wrote: > Hi All, > > > > I’m new to using SystemImager, but a coworker turned me on to it and he > loves it. It is the perfect tool for my disaster recovery plan for a system > I’m working on. Prior to putting things into production I have to run > things by our IT security engineers, and one of them found the following > (details below): > > > > > > CVE-2008-5156 > > > > I did look through the SysImager Trac instance, but found nothing related. > My research led me to believe this is Debian only (I use Red Hat/CentOS), > but I don’t fully understand the problem. Does anyone know if this is an > issue or if it was patched for 4.0.2? Otherwise is the mitigation just > chmod’ing /tmp after pushing the image, or is this a build time > vulnerability? > > > > Thanks!!! > > > > Justin > > --------------------- > > Vulnerability Summary for CVE-2008-5156 > > Original release date:11/18/2008 > Last revised:11/18/2008 > Source: US-CERT/NIST > > Overview > > si_mkbootserver in systemimager-server 3.6.3 allows local users to overwrite > arbitrary files via a symlink attack on a (1) /tmp/*.inetd.conf or (2) > /tmp/pxe.conf.*.tmp temporary file. > > Impact > > CVSS Severity (version 2.0): > > CVSS v2 Base Score:6.9 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:C/A:C) (legend) > Impact Subscore: 10.0 > Exploitability Subscore: 3.4 > > CVSS Version 2 Metrics: > > Access Vector: Locally exploitable > Access Complexity: Medium > Authentication: Not required to exploit > Impact Type:Allows unauthorized disclosure of information; Allows > unauthorized modification; Allows disruption of service > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > sisuite-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/sisuite-users > > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ sisuite-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/sisuite-users
