CVE-2008-4677

Common Vulnerabilities and Exposures

CVE-2008-4677 at MITRE

Details

autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating "I'm assuming that they're using the same id and password on that unchanged hostname, deliberately."

Novell Bugzilla entry: 406693,439148

SUSE Security Advisories:

SUSE-SR:2009:007, published Tue, 24 Mar 2009 16:00:00 +0000
SUSE-SR:2009:007 , published Tue, 24 Mar 2009 16:00:00 +0000

Product(s)	Fixed package version(s)	References
openSUSE 10.3 openSUSE 11.0	`gvim >= 7.2-9.1` `vim >= 7.2-9.1` `vim-base >= 7.2-9.1` `vim-data >= 7.2-9.1` `vim-enhanced >= 7.2-9.1`	ZYPP Patch Nr: 6023 SAT Patch Nr: 561
openSUSE 11.0	`vim-debuginfo >= 7.2-9.1` `vim-debugsource >= 7.2-9.1`	ZYPP Patch Nr: 6023 SAT Patch Nr: 561
openSUSE 11.1	`vim-debuginfo >= 7.2-7.4.1` `vim-debugsource >= 7.2-7.4.1`	ZYPP Patch Nr: 6023 SAT Patch Nr: 561
openSUSE 11.1	`gvim >= 7.2-7.4.1` `vim >= 7.2-7.4.1` `vim-base >= 7.2-7.4.1` `vim-data >= 7.2-7.4.1` `vim-enhanced >= 7.2-7.4.1`	ZYPP Patch Nr: 6023 SAT Patch Nr: 561
Novell Linux Desktop 9 for x86 Novell Linux Desktop 9 for x86_64 Novell Linux POS 9 Open Enterprise Server SUSE CORE 9 for AMD64 and Intel EM64T SUSE CORE 9 for IBM POWER SUSE CORE 9 for IBM S/390 31bit SUSE CORE 9 for IBM zSeries 64bit SUSE CORE 9 for Itanium Processor Family SUSE CORE 9 for x86	`gvim >= 6.2-235.8` `vim >= 6.2-235.8`	core9. x86 core9. s390x sles9-nld. x86 sles9-nlpos. x86 core9. ppc sles9-nld. x86-64 core9. s390 core9. x86-64 sles9-oes. x86 core9. ia64 YOU Patch Nr: 12360