First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 150748
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Carsten Lohrke <carlo@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 150748 depends on: Show dependency tree
Bug 150748 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-10-10 07:41 0000 
The POC

------- Comment #1 From Carsten Lohrke 2006-10-10 07:41:07 0000 ------- 
The POCĀ¹ is against 1.34 tested on WinXP. We have only version ~ 1.25 in the
tree. I don't know, if it is affected, too. Either replacing it with 1.35 or
inviting treecleaners, if no one really cares for the package should suffice.


[1] http://www.milw0rm.com/exploits/2482

------- Comment #2 From Matthias Geerdsen 2006-10-11 06:44:52 0000 ------- 
www-servers, any interest in keeping this? if so, pls verify/bump

------- Comment #3 From Matthias Geerdsen 2006-10-19 06:09:13 0000 ------- 
www-servers, pls comment

------- Comment #4 From Thilo Bangert 2006-10-22 08:54:16 0000 ------- 
i've put minimal (ie. cp) effort into creating a bump ebuild, but failed...

IMHO this can be punted. www-servers/fnord is an alternative.
thanks

------- Comment #5 From Matthias Geerdsen 2006-10-23 12:44:34 0000 ------- 
since this is not marked stable on any arch, pls feel free to mask->remove it

------- Comment #6 From Raphael Marichez 2006-10-23 13:13:08 0000 ------- 
i agree for masking/removing it if noone can resolve that bug.

I'll try to check if our version is really vulnerable during this week.

------- Comment #7 From Stuart Herbert (RETIRED) 2006-10-24 00:38:02 0000 ------- 
Sorry for the delay in replying.

I've bumped this package up to 1.35.  That was released back in April, long
before the exploit was posted.  I can't tell whether this version is also
vulnerable or not at the moment.

Anyone in the security team fancy auditing it?

Best regards,
Stu

------- Comment #8 From Raphael Marichez 2006-10-24 01:09:04 0000 ------- 
Thanks Stuart. I'll try to have a look on this

------- Comment #9 From Raphael Marichez 2006-10-24 05:46:45 0000 ------- 
finally remove treacleaner from Cc since Stuart has taken this package :)

------- Comment #10 From Carsten Lohrke 2006-10-24 05:55:51 0000 ------- 
The update to 1.35 should suffice. Forgot to provide the advisory url, sorry.


http://secunia.com/advisories/22294/

------- Comment #11 From Raphael Marichez 2006-10-30 03:12:54 0000 ------- 
i couldn't determine if 1.25 was affected. That's not a problem since 1.35 is
out after all.

I close that bug, as usual feel free to reopen if you disagree
First Last Prev Next    No search results available      Search page      Enter new bug