Summary: | games-board/pioneers < 0.11.3 Denial of Service (CVE-2007-{5933,6010}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Pierre-Yves Rofes (RETIRED) <py> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | games |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/27522/ | ||
Whiteboard: | B3 [glsa errata] | ||
Package list: | Runtime testing required: | --- |
Description
Pierre-Yves Rofes (RETIRED)
2007-11-11 14:07:19 UTC
games, version 0.11.3 is in the tree but ~arch, is it ready for stabilization? please advise. stablized and removed all but 0.11.3 ok, so we can directly proceed to glsa vote. I tend to vote YES. (In reply to comment #2) > stablized and removed all but 0.11.3 Should we call in x86, because 0.11.3 is only ~x86 right now? missed it. fixed it now. Thanks. Voting YES since it seems unauthenticated users can crash the server. request filed. GLSA 200711-20 It seems we only fixed one of the two DoS vulnerabilities discovered. From http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449541 As I wrote before, there was a DoS vulnerability in Pioneers. While testing if it also occurred in stable, I found a second problem, which is now also fixed. The fix is uploaded to unstable, and should enter testing in 2 days. The attached patch fixes both problems in stable. To use it: cd /tmp dget -x ftp://ftp.nl.debian.org/debian/pool/main/p/pioneers/pioneers_0.10.2-3.dsc cd pioneers-0.10.2 patch -p2 < /path/to/patch dch -i debuild The problem is documented on http://sourceforge.net/tracker/index.php?func=detail&aid=1786686&group_id=5095&atid=105095 This patch is a combination of the following two patches: http://sourceforge.net/tracker/index.php?func=detail&aid=1791176&group_id=5095&atid=305095 http://sourceforge.net/tracker/index.php?func=detail&aid=1833003&group_id=5095&atid=305095 I added the rest of the patch that wasn't in 0.11.3 and rev bumped it to force it out. Thanks, we should publish an errata GLSA. xml updated and errata mail for GLSA-200711-20 sent, closing. |