Hi!
On Sun, 2017-10-01 at 00:23:16 +0200, Moritz Muehlenhoff wrote:
> Source: kannel
> Severity: important
> Tags: security
> Please see:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14609
> https://redmine.kannel.org/issues/771
I think that report is bogus. If this is an actual issue at all it
might be in OpenRC's fork of start-stop-daemon. dpkg's version uses
all match options to limit what it will be acting on. Which in this
case means, that the stop will be restricted by the pid in the pidfile
and the current running process pointing to the system absolute path
for run_kannel_box.
As I mentioned on the upstream bug, the init scripts could be made a
bit more robust by using the --user match option, but this would not
imply we have suddenly fixed any kind of security issue here.
Thanks,
Guillem
