Comment 1 Tim Sammut (RETIRED) 2011-03-14 04:30:36 UTC

(Sorry for the spam, ugh!)

Looking at the ChangeLog at $URL, I see two things that appear security-related.

Fixed in 3.9.3
 - Fix =NULL= pointer dereference in conf file parser.  Problem will arise for all
   interfaces that at one point might not have an address.

Fixed in 3.9.5
 - Ported from pimd after CVE-2011-0007: Insecure file creation in /var/tmp.
   "On USR1, pimd will write to /var/tmp/pimd.dump a dump of the multicast route
   table. Since /var/tmp is writable by any user, a user can create a symlink to any
   file he wants to destroy with the content of the multicast routing table."

Comment 2 Jeroen Roovers (RETIRED) 2011-04-21 14:01:45 UTC

Stumbled upon this.

Arch teams, please test and mark stable:
=net-misc/mrouted-3.9.5
Target KEYWORDS="amd64 ppc x86"

Comment 3 Agostino Sarubbo 2011-04-21 18:20:07 UTC

amd64 ok

Comment 4 Thomas Kahle (RETIRED) 2011-04-21 18:53:02 UTC

x86 stable

Comment 5 Brent Baude (RETIRED) 2011-04-22 16:54:38 UTC

ppc done

Comment 6 Markos Chandras (RETIRED) 2011-04-25 09:18:17 UTC

amd64 done

Comment 7 Tim Sammut (RETIRED) 2011-04-26 02:47:13 UTC

Thanks, everyone. GLSA Vote: Yes.

Comment 8 Stefan Behte (RETIRED) 2011-10-08 21:52:56 UTC

Vote: YES. New GLSA request filed.

Comment 9 Stefan Behte (RETIRED) 2011-10-10 20:13:44 UTC

Can one of our new scouts check if there is a CVE for this and request one if
there is none?

Comment 10 GLSAMaker/CVETool Bot 2014-12-12 00:37:19 UTC

This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).