First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 176805
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 176805 depends on: Show dependency tree
Show dependency graph
Bug 176805 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-05-02 13:02 0000 
+++ This bug was initially created as a clone of Bug #175021 +++

The APOP protocol allows remote attackers to guess the first 3 characters of a
password via man-in-the-middle (MITM) attacks that use crafted message IDs and
MD5 collisions.

------- Comment #1 From Raúl Porcel 2007-05-02 13:08:37 0000 ------- 
mail-client/claws-mail-2.9.1 which is already in the tree fixes this security
issue.

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-05-02 13:38:08 0000 ------- 
Thx for the note armin76.

Arches please test and mark stable. Target keywords are:
claws-mail-2.9.1.ebuild:KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86
~x86-fbsd"

------- Comment #3 From Steve Dibb 2007-05-02 14:35:25 0000 ------- 
amd64 stable

------- Comment #4 From Jakub Moc 2007-05-02 14:36:11 0000 ------- 
*** Bug 176808 has been marked as a duplicate of this bug. ***

------- Comment #5 From Gustavo Zacarias (RETIRED) 2007-05-02 15:43:56 0000 ------- 
sparc stable.

------- Comment #6 From Markus Rothe 2007-05-02 16:39:40 0000 ------- 
ppc64 stable

------- Comment #7 From Andrej Kacian (RETIRED) 2007-05-02 17:13:25 0000 ------- 
Why doesn't anyone wait for the package maintainer?

In addition to claws-mail-2.9.1, following plugins need to be stabilized as
well, because current stable versions have API incompatible with 2.9.1:

=mail-client/claws-mail-gtkhtml-0.15
=mail-client/claws-mail-mailmbox-1.12.4
=mail-client/claws-mail-rssyl-0.12
=mail-client/claws-mail-vcalendar-1.95

------- Comment #8 From Sune Kloppenborg Jeppesen 2007-05-02 18:53:00 0000 ------- 
Sorry ticho, my bad.

/me slaps /me

------- Comment #9 From Gustavo Zacarias (RETIRED) 2007-05-02 19:05:16 0000 ------- 
sparc stable claws-mail-mailmbox and claws-mail-vcalendar. the others aren't
keyworded.

------- Comment #10 From Markus Rothe 2007-05-02 19:40:42 0000 ------- 
plug ins stable on ppc64

------- Comment #11 From Raúl Porcel 2007-05-03 17:27:05 0000 ------- 
x86 stable

------- Comment #12 From Tobias Scherbaum 2007-05-03 18:51:31 0000 ------- 
ppc stable

------- Comment #13 From Steve Dibb 2007-05-03 19:11:12 0000 ------- 
plugins stable on amd64

------- Comment #14 From Jose Luis Rivero (yoswink) 2007-05-04 11:37:32 0000 ------- 
claws-mail stable on alpha.

We don't need to keyword any of the plugins as we don't have any stable mark in
the one that we have keyworded.

------- Comment #15 From Jeroen Roovers 2007-05-05 12:16:13 0000 ------- 
Sorry for the late response. claws-mail suffers a glibc bug specific to HPPA
where a program will hang indefinitely waiting for a child process to signal
back. All versions so far compile, but cannot be used until glibc-2.5 goes
stable for HPPA. Therefore I cannot test it and this security bug should hence
go forward without HPPA.

------- Comment #16 From Sune Kloppenborg Jeppesen 2007-05-19 22:54:49 0000 ------- 
This one is ready for GLSA vote. I tend to vote NO.

------- Comment #17 From Daniel Black 2007-05-19 23:16:52 0000 ------- 
no glsa please

------- Comment #18 From Vic Fryzel (shellsage) 2007-05-20 15:32:16 0000 ------- 
I vote no, too.

------- Comment #19 From Sune Kloppenborg Jeppesen 2007-05-20 16:05:53 0000 ------- 
Closing with NO GLSA.
First Last Prev Next    No search results available      Search page      Enter new bug