[Rpm-maint] rpm security exposure http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
devzero2000
pinto.elia at gmail.com
Thu Nov 4 09:34:25 UTC 2010
On Thu, Nov 4, 2010 at 9:54 AM, swamy sangamesh
<swamy.sangamesh at gmail.com>wrote:
> Hi Pinto,
>
> Thanks for your investigation, you have a patch which i can test for 3.0.5
> source ?
>
> Why you don't open an APAR to IBM as I have said previously ?
>
> On Wed, Nov 3, 2010 at 10:49 PM, devzero2000 <pinto.elia at gmail.com> wrote:
>
>> The CVE is CONFIRMED with AIX 5.3 latest fixpack applied. I am pretty sure
>> it is also the same issue on AIX 6.x. I have do some trivial update to the
>> original bugzilla SPEC for testing this. Reading the rpm 3.0.5 code confirm
>> the issue also. But the original patch to @rpm.org is not applicable as
>> is.
>>
>>
>> Regards
>>
>> On Wed, Nov 3, 2010 at 12:32 PM, devzero2000 <pinto.elia at gmail.com>wrote:
>>
>>> On Wed, Nov 3, 2010 at 5:33 AM, swamy sangamesh <
>>> swamy.sangamesh at gmail.com> wrote:
>>>
>>>>
>>>> Hi Pinto,
>>>>
>>>> We are using it for IBM AIX Toolbox for linux applications with AIX
>>>> version 5.3 and above.
>>>> currently we are using rpm-3.0.5 source to build the binaries.
>>>
>>> I imagined already But the rpm.rte fileset is a proprietary supported
>>> package lslpp from IBM (rpm.rte).
>>> I have see on the ibm fixcentral that the latest *Technology Level
>>> 5300-12-00-1015 doesn.'t contain or reference a security problem on rpm
>>> (http://www-933.ibm.com/support/fixcentral/aix/fixpackdetails?fixid=5300-12-00-1015).
>>> Have you opened an APAR ? I am sure that IBM*
>>> know to who ask for a fix, if necessary. Now there is no such fix
>>> http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoeblist?mode=1&prefsOnOff=null&topic=SECURITY&month=ALL&heading=AIX53
>>>
>>> Regards
>>>
>>
>>
>
>
> --
> Thanks & Regards,
> Sangamesh
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20101104/8717ece3/attachment.html>
More information about the Rpm-maint
mailing list