Re: Vulnerability?, posted by Konstantin Olchanski on Fri Apr 22 21:15:37 2022
|
> > debian package still outdated?
> We reached to the package maintainer
the good Roger Kalt requested removal of debian package elog
and it is now removed from debian-unstable. I am not sure
if it can be removed from debian-stable releases (debian-11, debian-10).
https://tracker.debian.org/pkg/elog
https://tracker.debian.org/news/1320035/removed-313-1-1-from-unstable/
K.O. |
|
Re: Vulnerability?, posted by Konstantin Olchanski on Sat Apr 23 18:05:57 2022
|
> The CVEs you refer to are very old and have been fixed a long time ago.
>
> Please refer to:
> https://www.tenable.com/security/research/tra-2019-53
>
> This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.
>
> Note that the elog git history does not refer to these CVEs because
> they were fixed before the CVE number was assigned, per "Disclosure Timeline"
> in the above document. The relevant commits are listed under "Additional References".
>
> K.O.
I should better capture these "additional references" and the "disclosure timeline"
before they vanish from tenable.com:
https://www.tenable.com/security/research/tra-2019-53
Additional References
https://bitbucket.org/ritt/elog/commits/7367647d40d9b43d529d952d3a063d53606697cb
https://bitbucket.org/ritt/elog/commits/38c08aceda8e5ac4bfdcc040710b5792bd5fe4d3
https://bitbucket.org/ritt/elog/commits/32ba07e19241e0bcc68aaa640833424fb3001956
https://bitbucket.org/ritt/elog/commits/15787c1edec1bbe1034b5327a9d6efa710db480b
https://bitbucket.org/ritt/elog/commits/283534d97d5a181b09960ae1f0c53dbbe42d8a90
Disclosure Timeline
12/3/2019 - Notice sent to stefan.ritt - AT - psi.ch. 90 day is March 3, 2020
12/4/2019 - Dr. Ritt acknowledges the report.
12/9/2019 - Dr. Ritt stages fixes in bitbucket.
12/9/2019 - Tenable provides feedback.
12/10/2019 - Dr. Ritt acknowledges.
12/11/2019 - Tenable reserves CVE.
12/11/2019 - Tenable notes the various ELOG instances maintained by Paul Scherrer Institute are patched.
12/11/2019 - Tenable informs Dr. Ritt and Mr. Roger Kalt (Debian/Ubuntu package manager) of intent to publish CVE tomorrow (Dec.
12).
K.O. |
|
Re: Vulnerability?, posted by Konstantin Olchanski on Tue Apr 26 17:39:49 2022
|
> > > debian package still outdated?
> removed from debian-unstable
> https://tracker.debian.org/pkg/elog
> https://tracker.debian.org/news/1320035/removed-313-1-1-from-unstable/
contacted security@debian.org and they requested removal from the next buster/bullseye point releases:
https://bugs.debian.org/1010196
https://bugs.debian.org/1010197
next is to request removal of ubuntu package.
K.O. |
|
Re: Vulnerability?, posted by Konstantin Olchanski on Wed Apr 27 19:36:25 2022
|
> next is to request removal of ubuntu package.
contacted ubuntu security team, got very quick response.
they noted our request and informed us that ubuntu cannot remove packages from existing releases.
https://bugs.launchpad.net/ubuntu/+source/elog/+bug/1970480
K.O. |
|
Re: Virus in latest elog?, posted by Stefan Ritt on Fri Jul 14 16:58:48 2017
|
Hi Daniel,
you're the first one reporting about this virus. We have different virus checkers here at our lab and none of them triggered. So I guess it is a false alarm.
Best,
Stefan
| Daniel Sajdyk wrote: |
|
Hello.
Today I wanted to download latest elog version, and got information from Eset Endpoint Antyvirus, that downloaded file has trojan horse "Generic.GQWFFXB".
It this false positive alarm?
Daniel
|
|
|
Re: Version of GCC to use?, posted by Stefan Ritt on Mon May 9 20:47:02 2005
|
> What is the recommended version of gcc to use with elog 2.5.9? I searched
> the discussion database but found nothing pertaining to this.
Well, the same code compiles on gcc and on Visual C++ under Windows, so
hopefully there is no dependence on the gcc version (;-)
I use gcc 3.2.3 on Scientific Linux 3.03. |
|
Re: Version of GCC to use?, posted by Steve Jones on Mon May 9 20:51:23 2005
|
> > What is the recommended version of gcc to use with elog 2.5.9? I searched
> > the discussion database but found nothing pertaining to this.
>
> Well, the same code compiles on gcc and on Visual C++ under Windows, so
> hopefully there is no dependence on the gcc version (;-)
>
> I use gcc 3.2.3 on Scientific Linux 3.03.
I ask because I get a dependency that I did not have before with 2.5.3.
Compiling with my same 'ole gcc 2.95.2 I see that I now need mxml.h and
strlcpy.h. Trying to compile under gcc 3.4 results in all kinds of errors. |
|
Re: Version of GCC to use?, posted by Stefan Ritt on Mon May 9 20:55:36 2005
|
> I ask because I get a dependency that I did not have before with 2.5.3.
> Compiling with my same 'ole gcc 2.95.2 I see that I now need mxml.h and
> strlcpy.h. Trying to compile under gcc 3.4 results in all kinds of errors.
mxml.h and strlcpy.h are part of the elog tar ball. When untar'ed, they get copied
into a separate directory:
...
-rwxr-xr-x ritt/lke 15090 2005-05-09 13:09:54 elog-2.5.9/eloglang.japanese
-rwxr-xr-x ritt/lke 17587 2005-05-09 13:09:54 elog-2.5.9/eloglang.spanish
drwxr-xr-x ritt/lke 0 2005-05-09 13:09:54 mxml/
-rwxr-xr-x ritt/lke 45577 2005-05-09 13:09:54 mxml/mxml.c
-rwxr-xr-x ritt/lke 2198 2005-05-09 13:09:54 mxml/strlcpy.c
-rwxr-xr-x ritt/lke 4359 2005-05-09 13:09:54 mxml/mxml.h
-rwxr-xr-x ritt/lke 567 2005-05-09 13:09:54 mxml/strlcpy.h
I have right now no access to 3.4. Once I get it, I will address the errors
occuring there. |