From deapesh at gmail.com Tue Mar 9 21:59:57 2010 From: deapesh at gmail.com (Deapesh Misra) Date: Tue, 9 Mar 2010 16:59:57 -0500 Subject: [VIM] Energizer DUO USB battery charger Issue Message-ID: <22b0e07b1003091359m614b35e2of3dc04940700cd30@mail.gmail.com> Hi, This is regarding the 'Energizer DUO USB battery charger' issue (http://www.kb.cert.org/vuls/id/154421 and http://osvdb.org/show/osvdb/62782) I am not sure as to why this is labeled as a vulnerability. Anyone care to share their thoughts? Also why was a CVE ID released for this issue: CVE-2010-0103 ? thanks, Deapesh. From jericho at attrition.org Wed Mar 10 00:25:15 2010 From: jericho at attrition.org (security curmudgeon) Date: Wed, 10 Mar 2010 00:25:15 +0000 (UTC) Subject: [VIM] Energizer DUO USB battery charger Issue In-Reply-To: <22b0e07b1003091359m614b35e2of3dc04940700cd30@mail.gmail.com> References: <22b0e07b1003091359m614b35e2of3dc04940700cd30@mail.gmail.com> Message-ID: I replied to Deapesh already, but since asked here: : This is regarding the 'Energizer DUO USB battery charger' issue : (http://www.kb.cert.org/vuls/id/154421 and : http://osvdb.org/show/osvdb/62782) : : I am not sure as to why this is labeled as a vulnerability. Anyone care : to share their thoughts? : : Also why was a CVE ID released for this issue: CVE-2010-0103 ? I noticed this was the first time other VDBs assigned it. We have an internal discussion going wether we should go back and add other cases of 'certified pre-owned' (how we classify them and track on Attrition Errata). In short, it is a vulnerable software package being distributed by a company. Instead of an exploit to abuse a remote overflow, just happens to be much easier to exploit. But, it is still vulnerable software. http://attrition.org/errata/cpo/ (not updated with a few recent ones, we're overhauling the pages) Brian From coley at linus.mitre.org Wed Mar 10 21:37:07 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 10 Mar 2010 16:37:07 -0500 (EST) Subject: [VIM] Energizer DUO USB battery charger Issue In-Reply-To: References: <22b0e07b1003091359m614b35e2of3dc04940700cd30@mail.gmail.com> Message-ID: The CVE was assigned by CERT but I agree with it. The software came from a vendor web site and it allows much more access than the sysadmin intends. Doesn't matter whether it got compromised at the distribution point or if this was intentional by the vendor. We have a small handful of things like this in CVE. There's a slippery slope between this and "POtentially Unwanted Software" though. - Steve From theall at tenablesecurity.com Tue Mar 16 13:57:06 2010 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 16 Mar 2010 09:57:06 -0400 Subject: [VIM] Newbie CMS File Disclosure Vulnerability Message-ID: Exploit DB 11768 covers a file disclosure vulnerability in Newbie CMS -- reportedly the issue involves the 'free_download.php' script. As far as I can see, though, that script is not included in the distribution file, whether you look at the copy helpfully included as part of the advisory or either v2 or v3 downloaded from the project site. [It does appear to be what's used to actually distribute the software though.] George -- theall at tenablesecurity.com From deapesh at gmail.com Tue Mar 30 22:34:30 2010 From: deapesh at gmail.com (Deapesh Misra) Date: Tue, 30 Mar 2010 18:34:30 -0400 Subject: [VIM] Oracle/Sun Java security advisories Message-ID: <22b0e07b1003301534y22534478r6420392f1b52ced9@mail.gmail.com> hi, Did anyone notice how Oracle's security advisories for Java are devoid of information? http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html Wonder if this will be the way for all future Sun vulnerabilities. -Deapesh.