From an email announcement to the zebedee list: After a break of nearly two years there are two new versions of the Zebedee Secure Tunnel available. Version 2.4.1A contains a very small fix for a possible "denail of service" attack that can crash Zebedee. The Windows binary package has also been linked with the latest versions of the zlib and bzip2 libraries. In the case of zlib this contains security fixes and some possible performace improvements. Version 2.5.3 is the latest "development" version. It contains the same security bug-fix as 2.4.1A but also fixes other bugs including a long-standing problem with "reverse mode" tunnelling under Windows. Full details are in the CHANGES.txt file within the release. Both versions are available via http://winton.org.uk/zebedee or for http://sourceforge.net/projects/zebedee. Neil Reproducible: Always Steps to Reproduce: 1. 2. 3. Note: includes a fix for a DOS vulnerability.
Bumped both versions in cvs, 2.4.1-r1 is x86 stable because of the DOS vulnerability. Thanks for reporting!
More info on the other DoS issue here: http://www.securityfocus.com/archive/1/410157/30/0/
zebedee-2.5.3 stable on alpha
Time for GLSA decision on this one. I tend to vote NO.
This is a untrusted-network-facing service so I tend to vote yes.
Well if no auth is necessary I agree with half YES.
I would vote a weak YES.
Let's have one.
zebedee is still missing x86 stable keyword.
2.4.1-r1 is stable on x86. What version needs to be stabilized, then?
Exactly: 2.4.x is the stable branch and 2.5.x is the development branch. 2.4.1A (2.4.1-r1) fixes the issue for 2.4.1 and 2.5.3 fixes the issue for 2.5.2.
Oops, sorry for the confusion.
zebedee depends on zlib so this is just about the DoS.
GLSA 200509-14 s390 should mark stable to benefit from GLSA