On 30 Dec 2005, Florian Weimer wrote: > Ah, this version has been binary-NMUed, and I didn't think about > that. I think I've fixed the server-side data generation (it's > r3179 in the secure-testing repository, for future reference). No > client-side (i.e. debsecan) changes are required. Would you try > again, please, and report back the results?
Florian, Thanks a lot for this impressive reactivity, it's greatly appreciated. The issue with proftpd seems to be fixed with the exact same setup but the same kind of scenario still happens with the following packages : [EMAIL PROTECTED]:~# debsecan --only-fixed --suite sarge CVE-2005-0034 libdns11 (fixed, remotely exploitable, obsolete) CVE-2005-2933 libc-client2003debian (fixed, remotely exploitable, medium urgency, obsolete) CVE-2005-3185 libcurl2 (fixed, remotely exploitable, medium urgency, obsolete) CVE-2005-4077 libcurl2 (fixed, medium urgency, obsolete) CVE-2005-4077 libcurl3 (fixed, medium urgency) CVE-2005-2672 libsensors2 (fixed, medium urgency, obsolete) CVE-2005-2933 libc-client2002ddebian (fixed, remotely exploitable, medium urgency, obsolete) [EMAIL PROTECTED]:~# apt-get install libdns11 libc-client2003debian libcurl2 libcurl2 libcurl3 libsensors2 libc-client2002ddebian libdns11 is already the newest version. libc-client2003debian is already the newest version. libcurl2 is already the newest version. libcurl2 is already the newest version. libcurl3 is already the newest version. libsensors2 is already the newest version. libc-client2002ddebian is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. [EMAIL PROTECTED]:~# dpkg -l libdns11 libc-client2003debian libcurl2 libcurl2 libcurl3 libsensors2 libc-client2002ddebian ii libdns11 9.2.3+9.2.4-rc7-1 ii libc-client2003debian 2003debian0.0304182231-1 ii libcurl2 7.11.2-10 ii libcurl2 7.11.2-10 ii libcurl3 7.15.0-4 ii libsensors2 2.8.1-2 ii libc-client2002ddebian 2002ddebian1-4 [EMAIL PROTECTED]:~# I haven't reported them in the first report because I wanted to bring more attention to proftpd since it's a lot more important for me than the packages in this email. I plan to use debsecan with Nagios periodically and automatically in order to generate notifies as soon as one my servers is compromised. I wish debsecan will soon return no output if nothing is compromised. -- Cyril Bouthors
pgpgzVcZfPUyq.pgp
Description: PGP signature

