On 2005.08.28 15:25:25 +0400, Boris Samorodov wrote: > On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote: > > > You are mixing up two different vulnerabilities [1]. The vulnerability > > fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow > > vulnerability" [2]. The vulnerability portaudit is warning you about > > is "acroread -- XML External Entity vulnerability" [3]. As far as I > > know Adobe has not released any fix for the Linux version of Adobe > > Reader for [3]. > > > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html > > [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html > > [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html > > Well, I think that Linux version is not suffered from CAN-2005-1306: > http://www.adobe.com/support/techdocs/331710.html > > Platforms affected are Windows and Mac OS. Am I missing something?
Adobe does not list the Linux version as affected, but the original reporter of the problem does list the Linux version as affected, at http://shh.thathost.com/secadv/adobexxe/ . In these cases we prefer err on the side of caution and will rather list a package as affected, even if it's not, rather than not listing a package that turn out to be affected. I have just written a mail to the original reporter of the problem to try to clarify the issue. -- Simon L. Nielsen FreeBSD Security Team
pgpbUP3vl79ly.pgp
Description: PGP signature
