please see the url for details on 0.0.8 exploit and have an ebuild for 0.0.8.l1 available. Reproducible: Always Steps to Reproduce: none needed.
Remote exploit is misleading. It can cause the previous version to crash remotely (remode DoS) however it does not allow remote execution of code or remote control.
Okay, bumped. Confering with our security folks if we should do a GLSA for this, then i'll close this bug.
Re-assigning to security.
According to latexer, ppc-macos/macos folks have their own version stable (0.0.7.3), so I sent an email upstream asking the developer if all versions previous 0.0.8 were vulnerable as well.
Upstream replied: --- Yep, everything before 0.0.8.1 is vulnerable, and 0.0.9pre1 and pre2 are also. It is likely that a remote shell exploit is possible against win32 and old BSD, but probably not against Linux (including Gentoo) or new BSD. The vulnerability is similar to the old apache chunked encoding problem from a few years ago. But don't hold me to this. :) I recommend upgrading. --Roger --- latexer, the "ball is in your court"...or something.
OSX folks; Ya'll have a version of this marked stable currently. I know you folks changed some things with socks deps a while ago, can you please do anything needed to get 0.0.8.1 stable for you folks so we can remove all old vulnerable versions? Thanks.
OSX guys, any updates on getting 0.0.8.1 stable?
Keyworded in CVS for macos. I also removed the dependency on tsock as latexer requested.
Security, please vote on glsa. Note: this package is only marked stable on macos/ppc-macos.
I vote no. DoS on ~ or unsupported-arch packages should not generate GLSAs
Closing without GLSA.
would go for a no on this one too agree with comment #10
