The POC
The POC¹ is against 1.34 tested on WinXP. We have only version ~ 1.25 in the tree. I don't know, if it is affected, too. Either replacing it with 1.35 or inviting treecleaners, if no one really cares for the package should suffice. [1] http://www.milw0rm.com/exploits/2482
www-servers, any interest in keeping this? if so, pls verify/bump
www-servers, pls comment
i've put minimal (ie. cp) effort into creating a bump ebuild, but failed... IMHO this can be punted. www-servers/fnord is an alternative. thanks
since this is not marked stable on any arch, pls feel free to mask->remove it
i agree for masking/removing it if noone can resolve that bug. I'll try to check if our version is really vulnerable during this week.
Sorry for the delay in replying. I've bumped this package up to 1.35. That was released back in April, long before the exploit was posted. I can't tell whether this version is also vulnerable or not at the moment. Anyone in the security team fancy auditing it? Best regards, Stu
Thanks Stuart. I'll try to have a look on this
finally remove treacleaner from Cc since Stuart has taken this package :)
The update to 1.35 should suffice. Forgot to provide the advisory url, sorry. http://secunia.com/advisories/22294/
i couldn't determine if 1.25 was affected. That's not a problem since 1.35 is out after all. I close that bug, as usual feel free to reopen if you disagree