162318 2007-01-16 04:13 0000 net-misc/neon: a denial of service (crash) via a URI with non-ASCII characters (CVE-2007-0157) 2007-11-10 19:40:04 0000 1 1 1 Unclassified Gentoo Linux Applications unspecified All Linux RESOLVED FIXED http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0157 P2 normal --- 1 kalin@ThinRope.net pauldv@gentoo.org kalin@ThinRope.net 2007-01-16 04:13:39 0000 Please see the URL. Reproducible: Didn't try Steps to Reproduce: Patch available here: http://bugs.debian.org/cgi-bin/bugreport.cgi/neon26_0.26.2-3_to_mdx1.diff?bug=404723;msg=5;att=2 Is this upstream? Do we need GLSA for that? falco@gentoo.org 2007-01-17 22:46:54 0000 it's a client-side DoS, usually we don't handle client-side DoS since a bad URI is also a form of disruption of service. But thanks a lot for the report, Kalin. Reassigning to the maintainer as a non-security bug. falco@gentoo.org 2007-01-17 22:52:03 0000 And reassiging. Paul is not the real maintainer, but... who else? There is no upstream fixed release according to http://www.webdav.org/neon/ A proposed patch is provided in the debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi/neon26_0.26.2-3_to_mdx1.diff?bug=404723;msg=5;att=2 Paul, act as you want :) carlo@gentoo.org 2007-05-14 13:47:48 0000 bumped to 0.26.3 at least hollow@gentoo.org 2007-11-10 19:40:04 0000 fixed in 0.26.4