First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 242254
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
50_dns_resolv_bufoverflow.dpatch 50_dns_resolv_bufoverflow.dpatch patch Robert Buchholz 2008-10-18 15:39 0000 8.98 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 242254 depends on: Show dependency tree
Bug 242254 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-10-15 19:56 0000 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

libspf2 upstream informed us about an undisclosed vulnerability in versions
previous to 1.2.8:
Unpublished CVE-2008-2469 will be released this week concerning libspf2.
Please update the version of libspf2 in the Gentoo Linux distribution to
1.2.8 as soon as reasonably possible. If you require a minimal patch for
security maintenance of previous versions, please let me know.

md5  19d82e62e4f70056a1d0f194d94906f3          libspf2-1.2.8.tar.gz
sha1 81be05cb435c9d92e0fba4b59bdf204eab4ac6ec  libspf2-1.2.8.tar.gz

------- Comment #1 From Robert Buchholz 2008-10-15 19:58:16 0000 ------- 
Let's get this bumped in the public tree, and proceed it via fast stabling if
there are no regressions. Robin and Tobias, since all who ever touched the
package retired, I cc'ed you for net-mail.

------- Comment #2 From Robert Buchholz 2008-10-15 20:04:16 0000 ------- 
this is semi-public.

------- Comment #3 From Robert Buchholz 2008-10-15 20:26:26 0000 ------- 
Upstream adds:

Please note that while --enable-perl probably works, it is not yet
considered stable, I suggest not adding a perl USE flag at this stage.

------- Comment #4 From Robert Buchholz 2008-10-16 01:09:00 0000 ------- 
Following note: One bug has been fixed and the tarball has been
replaced; it has new md5sums.

md5  824d62a83e76108f8e21a39e1ae2ad62  libspf2-1.2.8.tar.gz
sha1 17180c88b3dbad98cc22d80e6f5cb5441b5f25bd  libspf2-1.2.8.tar.gz

------- Comment #5 From Tobias Scherbaum 2008-10-16 18:29:33 0000 ------- 
1.2.8 is inCVS.

------- Comment #6 From Robert Buchholz 2008-10-16 19:44:16 0000 ------- 
Arch Security Liaisons, please test and mark stable:
=mail-filter/libspf2-1.2.8
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76

------- Comment #7 From Tobias Heinlein 2008-10-16 21:15:23 0000 ------- 
amd64 stable, exim[spf] emerges fine with it.

------- Comment #8 From Ferris McCormick 2008-10-16 21:38:04 0000 ------- 
Sparc looks good.

------- Comment #9 From Robert Buchholz 2008-10-17 00:20:22 0000 ------- 
(In reply to comment #8)
> Sparc looks good.

Please mark stable in-tree.

------- Comment #10 From Ferris McCormick 2008-10-17 03:05:08 0000 ------- 
(In reply to comment #9)
> (In reply to comment #8)
> > Sparc looks good.
> 
> Please mark stable in-tree.
> 

Sorry, wasn't paying attention.  Done for sparc.

------- Comment #11 From Jeroen Roovers 2008-10-17 05:43:16 0000 ------- 
HPPA is OK.

------- Comment #12 From Markus Rothe 2008-10-17 08:11:35 0000 ------- 
ppc64 stable

------- Comment #13 From Jose Luis Rivero (yoswink) 2008-10-17 08:22:43 0000 ------- 
alpha stable.

(In reply to comment #11)
> HPPA is OK.

@jer: please go and mark it on the tree, see comments 6 and 9.

------- Comment #14 From Tobias Scherbaum 2008-10-17 15:47:12 0000 ------- 
ppc stable

------- Comment #15 From Markus Meier 2008-10-17 20:24:10 0000 ------- 
x86 stable

------- Comment #16 From Raúl Porcel 2008-10-18 14:49:54 0000 ------- 
Adding gmsoft for hppa since jer is away

------- Comment #17 From Robert Buchholz 2008-10-18 15:39:20 0000 ------- 
This is now public via:
https://answers.launchpad.net/ubuntu/gutsy/+source/libspf2/1.2.5.dfsg-4ubuntu0.7.10.1

------- Comment #18 From Robert Buchholz 2008-10-18 15:39:50 0000 ------- 
Created an attachment (id=168944) [details]
50_dns_resolv_bufoverflow.dpatch

For reference, the patch debian applied.

------- Comment #19 From Robert Buchholz 2008-10-18 15:42:27 0000 ------- 
Arches, please test and mark stable:
=mail-filter/libspf2-1.2.8
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Already stabled : "alpha amd64 ia64 ppc ppc64 sparc x86"
Missing keywords: "hppa"

------- Comment #20 From Guy Martin 2008-10-18 16:39:52 0000 ------- 
hppa stable

------- Comment #21 From Robert Buchholz 2008-10-18 16:48:15 0000 ------- 
not so fast with the closing...

------- Comment #22 From Robert Buchholz 2008-10-30 21:27:41 0000 ------- 
GLSA 200810-03
First Last Prev Next    No search results available      Search page      Enter new bug