List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Wed, Oct 27, 2010 at 08:33:56PM +0200, Volker Armin Hemmann wrote:
> please show me some enterprise distros incorporating that patch.
I didn't test that patch; even if it's incorrect, bugreport is not about
a patch. It's about a security issue.
For example, look here:
This proof-of-concept exploit still works in gentoo (amd64 stable at least,
even hardened!), because some dangerous variables are not filtered out.
(note if you want to test it: vixie-cron won't execute created file
because it's not executable. Either use another crond, or use exploit to
create e.g. udev rule instead of crontab entry).
Another similar vulunerability caused by not filtering some variables was
found about a week ago. I don't know if it still works in Gentoo, because
hardened is not affected by that one.