CVE-2008-4938 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4938): aegis 4.24 and aegis-web 4.24 allow local users to overwrite arbitrary files via a symlink attack on (a) /tmp/#####, (b) /tmp/#####.intro, (c) /tmp/aegis.#####.ae, (d) /tmp/aegis.#####, (e) /tmp/aegis.#####.1, (f) /tmp/aegis.#####.2, (g) /tmp/aegis.#####.log, and (h) /tmp/aegis.#####.out temporary files, related to the (1) bng_dvlpd.sh, (2) bng_rvwd.sh, (3) awt_dvlp.sh, (4) awt_intgrtn.sh, and (5) aegis.cgi scripts.
From #235770: DEBIAN: http://bugs.debian.org/496402 DEBIAN: http://bugs.debian.org/496400 FILES: bng_dvlpd.sh, bng_rvwd.sh, awt_dvlp.sh, awt_intgrtn.sh, aegis.cgi CODE: http://dev.gentoo.org/~rbu/security/debiantemp/aegis CODE: http://dev.gentoo.org/~rbu/security/debiantemp/aegis-web
No maintainer...shall we remove or hardmask it?!
awt_dvlp.sh, awt_intgrtn.sh is addressed in 4.24.1 via http://sourceforge.net/tracker/index.php?func=detail&aid=2079025&group_id=224&atid=100224 aegis.cgi is removed in 4.24.1, a patch would have been here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496400#24 upstream bug for the remaining files: https://sourceforge.net/tracker/?func=detail&aid=2820524&group_id=224&atid=100224
Since I got two bugs open for this package already, should we go looking for somebody to fix this?
Masked for removal
(In reply to comment #5) > Masked for removal > Removed from tree (in light of on-going dev-vcs category moving.)
GLSA: no
NO too, closing.