Opening a bug so we can keep track of this issue. Klieber/Solar please provide any further information/patches. This is exploitable both in daemon and quiet mode.
I have this ready to go. I'm itching to commit it please advise.
Created attachment 43073 [details, diff] ez-ipupdate-3.0.11_beta8-syslog.patch patch that fixes format string problem in syslog code.
Initial maintainer is no longer a dev. Package has no clear maintainer. What do we think about when we do sec updates for bugs and said pkg has no metadata.xml that we bring it up to the list that it has no maintainer and security@ requests that somebody || herd take XX under it's wing.
Klieber/Solar: any news on coordinated release? All we have is: > He will probably disclose this problem on Nov 3rd. Nah, let's make that the 9th instead. Wrt maintainers I think we should send a mail to see if anyone is willing to take it.
No new news updates. Is the 9th ok with us? We were on the CC: so we should respond confirming the 9th is ok with us.
- http://www.ez-ip.net/ EZ-IP closed to the general public... Effective immediately, the EZ-IP project is closed to the general public. Preferred members will continue to have access to all EZ-IP services. This change in policy is the result of continued abuses on the part of "Free" account holders. We have enjoyed serving the community with this project over the past 8 months and are truly sorry that it has become necessary to close membership. Over the next few weeks, we will be revamping the EZ-IP site and application process to allow users to "upgrade" to Preferred Member status. -------- Wonder who still needs this ebuild in portage? (argh I wish we could get stats from mirrors)
I vote to mask it (with no maintainer/ closed to the public reasons), first step toward complete removal.
I vote for masking. Is standard procedure to contact -dev first?
standard procedure is sending an email to -dev saying "we want to mask this package and here's why. If nobody steps up to maintain it, it will be masked in 24 hours" I vote for masking as well, but if someone is willing to take it over, I see no reason to mask it.
I'd like to patch it on the 9th in case there any remaining gnetoo users who use the service, before we outright decide to mask it. Then I'll vote for for removal anytime after the 10th.
D Day. I think we should patch it now ?
So ez-ipupdate goes right to stable? Or play the arch game?
I'd just stable move it, the patch is only one line and unless someone has a broken syslog include file, it's gonna work.
with such a simple patch, i think this can go right to stable.
Thanks that's what I wanted to know. I'll remove the old cruft ez-ipupdate-3.0.11_beta8.ebuild so/if anybody takes this pkg on to maintain it they will atleast have a clean plate to start with. etc..
ez-ipupdate-3.0.11_beta8-r1 is now in CVS KEYWORDS="x86 ppc sparc amd64" Opening bug.
> Wonder who still needs this ebuild in portage? from http://ez-ipupdate.com/: ez-ipupdate is a small utility for updating your host name for the any of the dynamic DNS service offered at: * http://www.ez-ip.net * http://www.justlinux.com * http://www.dhs.org * http://www.dyndns.org * http://www.ods.org * http://gnudip.cheapnet.net (GNUDip) * http://www.dyn.ca (GNUDip) * http://www.tzo.com * http://www.easydns.com * http://www.dyns.cx * http://www.hn.org * http://www.zoneedit.com ... so this little utility can update to other services than just ez-ip. (I don't know it this URL is really the "official" one, or if there is still an official site / maintainer) I use it for DynDNS.org and this tool is the best tool for IP udate for me (tried some others)
I use ez-ipupdate. It works for me for year (with dyndns.org). Please don't remove it.
GLSA 200411-20