[Secure-testing-team] Bug#731480: hplip: CVE-2013-6427: insecure (undocumented) auto update feature
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 5 21:06:24 UTC 2013
Package: hplip
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for hplip.
CVE-2013-6427[0]:
insecure auto update feature
SuSE decided to patch the update.py script to exit imediately, see [1]
for details. I have only verified that the hplip-data source package
in unstable indeed contains /usr/share/hplip/upgrade.py but not if
there is actually a chance to be run (as root) at one stage (thus the
severity might be argued).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6427
http://security-tracker.debian.org/tracker/CVE-2013-6427
[1] https://bugzilla.novell.com/show_bug.cgi?id=853405
[2] http://www.openwall.com/lists/oss-security/2013/12/05/2
Please adjust the affected versions in the BTS as needed (only
unstable verified for the source).
Regards,
Salvatore
More information about the Secure-testing-team
mailing list