Summary: | <net-misc/connman-1.0-r1 : Multiple Vulnerabilities (CVE-2012-{2320,2321,2322}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | chainsaw |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/49033/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 410611 |
Description
Agostino Sarubbo
2012-05-10 17:59:00 UTC
Use 1.0 and proceed to emergency stable please. Arches, please test and mark stable: =net-misc/connman-1.0 Target keywords : "amd64 x86" amd64: compiles and runs can we hide/fix unknown dependencies ? net-misc/connman/connman-1.0.ebuild: DEPEND: !=sys-apps/systemd-37-r1 (In reply to comment #3) > can we hide/fix unknown dependencies ? > net-misc/connman/connman-1.0.ebuild: DEPEND: !=sys-apps/systemd-37-r1 +*connman-1.0-r1 (10 May 2012) + + 10 May 2012; Tony Vroon <chainsaw@gentoo.org> -connman-1.0.ebuild, + +connman-1.0-r1.ebuild: + Can not allow an experimental dependency to interfere with security stabling. + As per arch testing by Elijah "Armageddon" El Lazkani in bug #415415. Arches, please note updated target and retest. x86 stable amd64 stable @security go ahead with glsa @Chainsaw, removed old and vulnerable version. GLSA draft ready. This issue was resolved and addressed in GLSA 201205-02 at http://security.gentoo.org/glsa/glsa-201205-02.xml by GLSA coordinator Sean Amoss (ackle). CVE-2012-2322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2322): Integer overflow in the dhcpv6_get_option function in gdhcp/client.c in ConnMan before 0.85 allows remote attackers to cause a denial of service (infinite loop and crash) via an invalid length value in a DHCP packet. CVE-2012-2321 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2321): The loopback plug-in in ConnMan before 0.85 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) host name or (2) domain name in a DHCP reply. CVE-2012-2320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2320): ConnMan before 0.85 does not ensure that netlink messages originate from the kernel, which allows remote attackers to bypass intended access restrictions and cause a denial of service via a crafted netlink message. |