oss-sec mailing list archives
CVE needed for hplip insecure auto update feature?
From: Murray McAllister <mmcallis () redhat com>
Date: Thu, 05 Dec 2013 15:02:30 +1100
Hello, https://bugzilla.novell.com/show_bug.cgi?id=853405 talks about an upgrade feature in hplip downloading (via HTTP) a binary and executing it. Is a CVE needed for that? Along with the versions in <https://bugzilla.novell.com/show_bug.cgi?id=853405#c6>, the hplip 1.6.7 and hplip3 3.9.8 versions I looked at did not have the upgrade.py file in the source (newer version like 3.13.11 had it in the source but the RPM spec file looks to remove it at build time, so it is not provided in the binary RPMs). Thanks, -- Murray McAllister / Red Hat Security Response Team
Current thread:
- CVE needed for hplip insecure auto update feature? Murray McAllister (Dec 04)
- Re: CVE needed for hplip insecure auto update feature? Kurt Seifried (Dec 04)