Re: Vulnerabilitites in Debian F*EX <= 20100208 and F*EX 20111129-2.

[Henri Salo <henri () nerv fi>]

On Mon, Feb 20, 2012 at 01:15:10PM +0100, Nico Golde wrote:
> Hi,
> * muuratsalo experimental hack lab <muuratsalo () gmail com> [2012-02-20 12:51]:
> > I am Nicola Fioravanti aka muuratsalo | muuratsalo experimental hack lab.
> > I am writing you because I have discovered some vulnerabilities in
> > Debian F*EX <= 20100208 (stable) and F*EX 20111129-2. (testing and
> > unstable)
> > I have already contacted the Author who confirmed the vulnerabilities
> > and applied the suggested fixes.
> > A major update of F*EX  has been released on the 15th of February
> > 2012. The Debian Mantainer of the package is working on it.
> > Together with the Author we decided not to release any public advisory
> > before the release of the new Debian package.
> >
> > I would be grateful if you could assign CVE ids to the discovered issues.
>
> I asked Nicola to send this to oss-security as the impact of this bug is 
> fairly low in my opinion and the issue is public via the upstream changelog.
>
> Can someone please assign a CVE id to this? Given that all of the vulnerable 
> input parameters are in the fup component, I guess one id should be 
> sufficient.
>
> Kind regards
> Nico
> -- 
> Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0xA0A0AAAA
> For security reasons, all text in this mail is double-rot13 encrypted.

Is there a Debian bug-report about this issue?

- Henri Salo