navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Vulnerability - but no one seems to care...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as locked.
tom_1st Vulnerability - but no one seems to care...
Member 1st Jul, 2010 10:58
Ranking: 12
Posts: 24
User Since: 23rd Jun, 2010
System Score: N/A
Location: DE
TortoiseSVN has a vulnerability which was fixed a while ago:
http://subversion.apache.org/security/CVE-2009-241...

1.)
CristianDeluxe reported it a while ago but the thread was closed and nothing happened
http://secunia.com/community/forum/thread/show/256...

2.) I reported it (again) via 'report vulnerability':
http://secunia.com/community/advisories/report_vul...
but nothing happened

3.) Now i am writing this thread and probably nothing will happen

=> As a result all vulnerable version are detected as up-to-date which is definitely not so.

Don't get me wrong here, but what else should I do?
Did I get something wrong? I thought users can report vulnerabilities/security weaknesses and after a while PSI is updated accordingly.
This specific weakness "can lead to a DoS (an exploit has been tested) and to arbitrary code execution (no exploit tested, but the possibility is clear)."
Is the severity of this vulnerability not high enough? Please help me out here folks to get an idea about the purpose of 'report vulnerability' and the forum.

ToM

taffy078 RE: Vulnerability - but no one seems to care...
Contributor 1st Jul, 2010 11:37
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 1st Jul, 2010 11:46
Hi. Tom.

This section, “ Vulnerabilities”, is used by the Secunia team to announce problems.
You will have more chance of getting help, more quickly, if you post a new thread in one of the other sections (see the list on the left).
Best wishes.

EDIT: PS Who makes the program? I've just searched in Programs and but couldn't find Subversion. If, when you check there, you still can't find the program listed, click on the link

Help us improve our service to you:
Program missing? Suggest it here!


at the bottom of the 'Insecure' tab to report it to Secunia. You need to give them the .exe file name if you can.

Hoping this helps you.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+2
-0
tom_1st RE: Vulnerability - but no one seems to care...
Member 1st Jul, 2010 12:08
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
Thanks for your answer.
You can find the program here:

Vendor: UNKNOWN
Program: TortoiseSVN 1.x

The app itself has been added to PSI a long time ago. I wanted to use the 'Program missing? Suggest it here!' link since however there is no possibility to write a comment in that dialog it doesn't make sense to upload the exe there (again).

-> but i suggested to secunia that a 'comment' field is added to the upload and one guy said this has been added to the TODO list (so i am guessing it will be integrated one day...)

Regards,
ToM
Was this reply relevant?
+0
-0
Anthony Wells RE: Vulnerability - but no one seems to care...
Expert Contributor 1st Jul, 2010 14:24
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 1st Jul, 2010 14:41
Hi ToM ,

In theory , this should be the correct sub-forum for you to post this thread , but as taffy indicates , there is confusion in using this "vulnerabilities" section .

Do Secunia have a Secunia Advisory*** for the CVE (cve-2009-2411) you mention and , if so , does it equally relate to or mention "Tortoise" as part of "Subversion" ??

If a Secunia Official does not pick up this thread , you may want to contact them directly by email at support@secunia.com ; it would seem to be important to update this omission .

Take care
Anthony

EDIT :*** the relevant SA for "Subversion" is SA36184 .

PS : "subversion" is now part of subversion.apache.org

PPS : to avoid confusion , I would strongly suggest you DO NOT POST IN THE COMMENTS SECTION BENEATH THE SA ITSELF

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
taffy078 RE: Vulnerability - but no one seems to care...
Contributor 1st Jul, 2010 14:54
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 1st Jul, 2010 14:54
Hi Tom/Anthony.

Looks like this has now been resolved:

http://secunia.com/community/forum/thread/show/466...

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
tom_1st RE: Vulnerability - but no one seems to care...
Member 1st Jul, 2010 15:02
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
on 1st Jul, 2010 14:24, Anthony Wells wrote:
Hi ToM ,

In theory , this should be the correct sub-forum for you to post this thread , but as taffy indicates , there is confusion in using this "vulnerabilities" section .


Originally i didn't post here but in Programms (with the specification of vendor and program)

on 1st Jul, 2010 14:24, Anthony Wells wrote:

EDIT :*** the relevant SA for "Subversion" is SA36184 .
PS : "subversion" is now part of subversion.apache.org
PPS : to avoid confusion , I would strongly suggest you DO NOT POST IN THE COMMENTS SECTION BENEATH THE SA ITSELF


I searched the SA's but didn't find it since i was searching for:
'TortoiseSVN' and 'Tortoise'

So basically that is the page I was lookin for:
http://secunia.com/advisories/product/3376/?task=a...

But I think that narrows it down:
The bug is listed under subversion but not for tortoise - which of course is also effected since it is using subversion!

Cp. tortoise changelog:
http://tortoisesvn.tigris.org/ChangeLog.txt

-> PSI should be adapted so that it also checks the tortoise subversion client.

ToM
Was this reply relevant?
+1
-1
tom_1st RE: Vulnerability - but no one seems to care...
Member 1st Jul, 2010 15:06
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
Last edited on 1st Jul, 2010 15:08
Hi taffy,

unfortunatly not since the vulnerability is valid for:

1. subversion (itself)
2. tortoise subversion client

Which is recognized by PSI?

1. Yes (proably)
2. undetected (still vulnerable)

Regards,
ToM
Was this reply relevant?
+1
-1
Anthony Wells RE: Vulnerability - but no one seems to care...
Expert Contributor 1st Jul, 2010 15:21
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ToM ,

You will need to find out from Secunia their needs in order for them to detect a client programme .

Take care
Anthony

PS : when you quoted the CVE (in the comments box) in the "other" thread , it is already plainly shown in the details of the SA 36184 ; similarly , Secunia do not like any posts under an SA when it/they relate to a PSI detection problem or a specific programme .

This , your original thread may have been moved by Secunia to the "vulnerabilities" sub-forum as being more relevant !!

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-1
tom_1st RE: Vulnerability - but no one seems to care...
Member 1st Jul, 2010 15:32
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
on 1st Jul, 2010 15:21, Anthony Wells wrote:
Hi ToM ,
You will need to find out from Secunia their needs in order for them to detect a client programme .

But what else should i do other then reporting a problem in three different ways?
To me it looks like that secunia correctly have an SA for the bug but do not correctly recognize all programms:

- subversion (itself) yes
- tortoise subversion client not

on 1st Jul, 2010 15:21, Anthony Wells wrote:

PS : when you quoted the CVE (in the comments box) in the "other" thread , it is already plainly shown in the details of the SA 36184 ; similarly , Secunia do not like any posts under an SA when it/they relate to a PSI detection problem or a specific programme .

But the link i posted is the original reference point which was used by secunia to create its SA. I think it is quite relevant to know the source. Furthermore the link provides much more detail (e.g. was exactly was changed/patched and where etc.)
Was this reply relevant?
+1
-1
Anthony Wells RE: Vulnerability - but no one seems to care...
Expert Contributor 1st Jul, 2010 15:38
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 1st Jul, 2010 15:43
ToM ,

It's a PSI detection so rule , so , as I said :-

[quote=p22109]Hi ToM ,

If a Secunia Official does not pick up this thread , you may want to contact them directly by email at support@secunia.com ; it would seem to be important to update this omission .



Only they (PSI support) can help you and I'm sure they will be quite ready and willing to clear things up - one way or another .

Anthony

PS: believe me , non-relevant "comments" under an SA are not accepted . There is already a clear link to the CVE in the SA , but , probably , no harm done.

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
M.Hansen RE: Vulnerability - but no one seems to care...
Secunia Official 1st Jul, 2010 15:55
Score: 188
Posts: 412
User Since: 26th Jan 2009
System Score: N/A
Location: Copenhagen, DK
Hi

I would like to get a software suggestion of the program that is not detected correctly.
(please fill out all the fields in the form if possible)

I'll then try to adjust our rules so they cover the programs they should.
tom_1st RE: Vulnerability - but no one seems to care...
Member 1st Jul, 2010 17:18
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
Last edited on 1st Jul, 2010 17:42
I just sent you the program (via the 'Program missing? Suggest it here!') functionality.

But please note that i sent you the version 1.6.3 which is only one of the vulnerable versions.

- Tortoise < 1.5.10 are vulnerable (However the 1.5.x Branch is no longer maintained so mark that as a whole as E-O-L)
- Tortoise 1.6.0 through 1.6.3 (inclusive)

The most up-to-date version is 1.6.9

ToM

PS: http://tortoisesvn.tigris.org/servlets/NewsItemVie...
Was this reply relevant?
+1
-1
tom_1st RE: Vulnerability - but no one seems to care...
Member 1st Jul, 2010 17:48
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
Furthermore i just found out that also version 1.6.4 is vulnerable:

Version 1.6.5 fixes the following security problems (of the neon library):
http://tortoisesvn.tigris.org/servlets/NewsItemVie...

1. CVE-2009-2473 (SA36371)
2. CVE-2009-2474 (SA36371)

Regards,
ToM
Was this reply relevant?
+1
-1
M.Hansen RE: Vulnerability - but no one seems to care...
Secunia Official 2nd Jul, 2010 08:54
Score: 188
Posts: 412
User Since: 26th Jan 2009
System Score: N/A
Location: Copenhagen, DK
Hi

Thank you for reporting this.

I've updated our rules and everyone with a version prior to 1.6.5 will be offered an update.

(Those of you with PSI 2.0 (TP) will also have the option of using the Auto-Update feature)


This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+