Summary: | <net-analyzer/nmap-6.47-r1: Arbitrary file upload flaw in http-domino-enum-passwords NSE script (CVE-2013-4885) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | netmon, zerochaos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=995634 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 512546, 529244 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-08-10 10:17:37 UTC
I had to mask ~net-analyzer/nmap-6.40 since it depends on >=dev-lang/lua-5.2 (bug #253269 is supposed to deal with the grander issues of nmap's bundled libraries, but has none of the details on liblua). Quite similar to bug #396353, using the bundled liblua.a causes the linker to fail on some systems ("ld: ./../liblua/liblua.a(loadlib.o): undefined reference to symbol 'dlopen@@GLIBC_2.1'") I could remove the dependency and link in the bundled liblua.a and then we could unmask it again, but then we'd still have the QA issue. Please advise. Would it be possible to break this into two revs maybe? We could use the known bad bundled to get the security bug fixed, and then have an ~arch version that simply depends on the correct liblua? It's been over a year since lua 5.2 was added to the tree as masked, if there hasn't been some movement on that then...sigh, I won't even go there. We could backport the changes to 6.25, too. Backporting to 6.25 (if possible) sounds like a reasonable option to me. The "undefined reference to symbol 'dlopen@@GLIBC_2.1" error is caused by the library order, which is known issue. Fix can be found here: http://seclists.org/nmap-dev/2013/q3/att-216/nmap-6_40-fix-lib-order.patch I've recently applied this fix to the pentoo overlay: http://code.google.com/p/pentoo/source/browse/portage/trunk/net-analyzer/nmap/nmap-6.40-r3.ebuild Arch teams, please test and mark stable: =net-analyzer/nmap-6.47-r1 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 PPC and PPC64 will of course need to address bug #512546 first. amd64 stable x86 stable Stable for HPPA. Stable on alpha. ia64 stable we can't proceed, since newer nmap versions have dependency on dev-libs/liblinear, which isn't keyworded for ppc* (arm stable) (In reply to Mikle Kolyada from comment #12) > we can't proceed, since newer nmap versions have dependency on > dev-libs/liblinear, which isn't keyworded for ppc* That's why this bug depends on bug #512546. ppc64 stable sparc stable ppc stable. Maintainer(s), please cleanup. Security, please vote. GLSA Vote: No GLSA vote: no. Closing as [noglsa] |