oss-sec mailing list archives
Re: [Openvas-devel] [oss-security] CVE Request -- openvas-scanner -- Insecure temporary file use by generation of an OVAL system characteristics document, when ovaldi support enabled
From: "Jan-Oliver Wagner" <Jan-Oliver.Wagner () greenbone net>
Date: Fri, 9 Sep 2011 23:07:34 +0200
Hello, On Friday 09 September 2011 19:45:03 Josh Bressers wrote:
Let's go with one ID. I don't see a reason to split these. Use CVE-2011-3351
I think it should be clarified: _No one_ who is properly using OpenVAS with OpenVAS Feed or with the Greenbone Feed is affected. No OVAL script is even tried to be executed: no OVAL file is in the feed and if you/someone copies one into your feed copy it is not being executed because it has no valid signature. So you need to switch to unsecure mode, then place OVAL files into your feed copy, install ovaldi etc, etc. Of course the OpenVAS developers will be fixing the problem regardless of the practical relevance! What frightens me is that a security advisory about OpenVAS 2 (a already deprecated version) made it even into official advisories of CERTs. The review process seems to not work as it should, no one ever checked back wether this version is deprecated. So it should be easy to get faked security alerts about some tools you don't like into official CERT advisories. Or am I getting something wrong here? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Current thread:
- CVE Request -- openvas-scanner -- Insecure temporary file use by generation of an OVAL system characteristics document, when ovaldi support enabled Jan Lieskovsky (Sep 07)
- Re: CVE Request -- openvas-scanner -- Insecure temporary file use by generation of an OVAL system characteristics document, when ovaldi support enabled Henri Doreau (Sep 07)
- Re: CVE Request -- openvas-scanner -- Insecure temporary file use by generation of an OVAL system characteristics document, when ovaldi support enabled Tim Brown (Sep 07)
- Re: CVE Request -- openvas-scanner -- Insecure temporary file use by generation of an OVAL system characteristics document, when ovaldi support enabled Josh Bressers (Sep 09)
- Re: [Openvas-devel] [oss-security] CVE Request -- openvas-scanner -- Insecure temporary file use by generation of an OVAL system characteristics document, when ovaldi support enabled Jan-Oliver Wagner (Sep 09)
- Re: [Openvas-devel] [oss-security] CVE Request -- openvas-scanner -- Insecure temporary file use by generation of an OVAL system characteristics document, when ovaldi support enabled Tim Brown (Sep 09)
- Re: CVE Request -- openvas-scanner -- Insecure temporary file use by generation of an OVAL system characteristics document, when ovaldi support enabled Josh Bressers (Sep 09)