Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 51586
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 51586 depends on: Show dependency tree
Bug 51586 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-05-20 12:23 0000 
Original libneon bug #51490

As of May 5th website at http://arch.quackerhead.com/~lord/ promises a security update for the previous libneon vulnerability.

------- Comment #1 From Anders Rune Jensen (RETIRED) 2004-05-20 16:39:11 0000 ------- 
Tla 1.2.1pre1 was released by James Blackwell because Tom was offline because
he was moving. It fixes this security hole. For more information see this:

http://mail.gnu.org/archive/html/gnu-arch-users/2004-04/msg00715.html

Tom as later acked this version:
http://mail.gnu.org/archive/html/gnu-arch-users/2004-04/msg00716.html

------- Comment #2 From Thierry Carrez (RETIRED) 2004-05-21 00:41:12 0000 ------- 
Confirmed
Fix version is 1.2.1pre1.
Ryan : please bump to this version.

------- Comment #3 From Ryan Phillips (RETIRED) 2004-05-28 10:50:08 0000 ------- 
1.2.1_pre1 committed.  Awaiting GLSA announcement for bug closure.

------- Comment #4 From Thierry Carrez (RETIRED) 2004-05-28 11:44:20 0000 ------- 
Ready for a GLSA

------- Comment #5 From Thierry Carrez (RETIRED) 2004-05-30 14:10:03 0000 ------- 
GLSA 200405-25

------- Comment #6 From Thierry Carrez (RETIRED) 2004-06-01 01:35:21 0000 ------- 
Carsten Eiram from Secunia brought to our attention that 1.2.1_pre1 includes
neon-0.24.5, so it does only solve the string format vuln (CAN-2004-0179) and
not
the heap overflow (CAN-2004-0398), which needs neon-0.24.6.

The OpenPKG advisory uses a "tla-1.2-20040519" as the fix.

rphillips : could you clear that up and, if needed, produce a new fix ebuild ?
We'll probably have to issue an errata advisory.

------- Comment #7 From Ryan Phillips (RETIRED) 2004-06-01 22:33:18 0000 ------- 
I looked in http://dailyarch.gnuarch.org/ for the tla snapshot for 20040519.  
in src/tla/libneon/aclocal.m4 it says that libneon is 0.24.0 still... Also, in the latest snapshot: 20040602.  Am I just seeing things?

------- Comment #8 From Ryan Phillips (RETIRED) 2004-06-01 22:46:10 0000 ------- 
jivera in #arch said that the included neon isn't up to date yet.  I think the
openpackage advisory might not have gotten the right fix (if there is one).

------- Comment #9 From Ryan Phillips (RETIRED) 2004-06-01 23:23:34 0000 ------- 
tla-1.2-r2.ebuild has been committed to portage.  tla will use the installed
neon shared library via the patch included (files/tla-1.2-4.diff.gz)

Awaiting GLSA

------- Comment #10 From Thierry Carrez (RETIRED) 2004-06-02 01:52:24 0000 ------- 
Errata drafted, security, please review.

We should remove/mask 1.2.1_pre1 before GLSA release so that this vulnerable version does not get picked up by the emerge ">=dev-util/tla-1.2-r2".

------- Comment #11 From Thierry Carrez (RETIRED) 2004-06-02 11:05:59 0000 ------- 
Errata GLSA 200405-25:02
Ryan: thank you very much for this quick and efficient fix !
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug