distcc contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attempt to bypass IP access control on a 64 bit platform occurs. This flaw may lead to a loss of Confidentiality. Vulnerability Classification: Remote/Network Access Required Authentication Attack Loss Of Confidentiality Exploit Unknown Verified Products: Martin Pool distcc 2.x Reproducible: Always Steps to Reproduce: 1. 2. 3. Solution: Upgrade to version 2.16 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. http://www.osvdb.org/10475
2.16 is already stable in portage *** This bug has been marked as a duplicate of 64317 ***
Lisa, All versions of distcc below 2.16 are vulnerable to this, do you think we should remove 2.14-r1 from portage?
Yes vulnerable versions should be removed from portage. No it's not necessary from a security point of view, nor is it required by policy. ReClosing this as a dupe. Further comments should go to the original bug. *** This bug has been marked as a duplicate of 64317 ***