Re: [SECURITY] [DSA 1020-1] New flex packages fix insecure code generation

To: "Matthew R. Dempsky" <mrd@xxxxxxxxxxx>
Subject: Re: [SECURITY] [DSA 1020-1] New flex packages fix insecure code generation
From: Moritz Muehlenhoff <jmm@xxxxxxxxxx>
Date: Tue, 28 Mar 2006 23:24:20 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20060328020853.GA19000@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060327231956.GA6608@xxxxxxxxxxxxxxxxxxxx> <20060328020853.GA19000@xxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.11+cvs20060126

In gmane.comp.security.bugtraq, you wrote:
> On Tue, Mar 28, 2006 at 01:19:34AM +0200, Moritz Muehlenhoff wrote:
>> If you use code, which is derived from a vulnerable lex grammar in
>> an untrusted environment you need to regenerate your scanner with the
>> fixed version of flex.
>
> Do any Debian packages include such a vulnerable grammar? (If so, will 
> rebuilt packages be provided?)

The packages including affected grammars or pregenerated code of that
kind have been identified and are being checked for exploitability.
Updates will be issued where necessary.

Cheers,
        Moritz

References:
- [SECURITY] [DSA 1020-1] New flex packages fix insecure code generation
  - From: Moritz Muehlenhoff
- Re: [SECURITY] [DSA 1020-1] New flex packages fix insecure code generation
  - From: Matthew R. Dempsky

Prev by Date: XSS in PHPKIT Version 1.6.03
Next by Date: [HV-INFO] Enova hardware encryption: false sense of security
Previous by thread: Re: [SECURITY] [DSA 1020-1] New flex packages fix insecure code generation
Next by thread: PHPLiveHelper 1.8 remote command execution (include) Xploit (perl)
Index(es):
- Date
- Thread