On 30 Dec 2005, Florian Weimer wrote:

> Ah, this version has been binary-NMUed, and I didn't think about
> that.  I think I've fixed the server-side data generation (it's
> r3179 in the secure-testing repository, for future reference).  No
> client-side (i.e. debsecan) changes are required.  Would you try
> again, please, and report back the results?

Florian,

Thanks a lot for this impressive reactivity, it's greatly appreciated.

The issue with proftpd seems to be fixed with the exact same setup but
the same kind of scenario still happens with the following packages :

[EMAIL PROTECTED]:~# debsecan --only-fixed --suite sarge
CVE-2005-0034 libdns11 (fixed, remotely exploitable, obsolete)
CVE-2005-2933 libc-client2003debian (fixed, remotely exploitable, medium 
urgency, obsolete)
CVE-2005-3185 libcurl2 (fixed, remotely exploitable, medium urgency, obsolete)
CVE-2005-4077 libcurl2 (fixed, medium urgency, obsolete)
CVE-2005-4077 libcurl3 (fixed, medium urgency)
CVE-2005-2672 libsensors2 (fixed, medium urgency, obsolete)
CVE-2005-2933 libc-client2002ddebian (fixed, remotely exploitable, medium 
urgency, obsolete)
[EMAIL PROTECTED]:~# apt-get install libdns11 libc-client2003debian libcurl2 
libcurl2 libcurl3 libsensors2 libc-client2002ddebian
libdns11 is already the newest version.
libc-client2003debian is already the newest version.
libcurl2 is already the newest version.
libcurl2 is already the newest version.
libcurl3 is already the newest version.
libsensors2 is already the newest version.
libc-client2002ddebian is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
[EMAIL PROTECTED]:~# dpkg -l libdns11 libc-client2003debian libcurl2 libcurl2 
libcurl3 libsensors2 libc-client2002ddebian
ii  libdns11                              9.2.3+9.2.4-rc7-1
ii  libc-client2003debian                 2003debian0.0304182231-1
ii  libcurl2                              7.11.2-10
ii  libcurl2                              7.11.2-10
ii  libcurl3                              7.15.0-4
ii  libsensors2                           2.8.1-2
ii  libc-client2002ddebian                2002ddebian1-4
[EMAIL PROTECTED]:~#

I haven't reported them in the first report because I wanted to bring
more attention to proftpd since it's a lot more important for me than
the packages in this email.

I plan to use debsecan with Nagios periodically and automatically in
order to generate notifies as soon as one my servers is compromised.
I wish debsecan will soon return no output if nothing is compromised.
-- 
Cyril Bouthors

Attachment: pgpgzVcZfPUyq.pgp
Description: PGP signature

Reply via email to