Luigi Auriemma discovered multiple vulnerabilities in Feng, some of which might affect fenice, as feng was based on the fenice codebase (so it looks).
See comments in bug 203532.
as said in the other bug: mask && kill them
CVE-2007-6626: Multiple buffer overflows in the RTSP_valid_response_msg function in RTSP_state_machine.c in LScube Feng 0.1.15 and earlier allow remote attackers to execute arbitrary code via (1) a long first line of a response, as demonstrated by a long VER line; or (2) a long second line of a response, as demonstrated by a message that follows a RETURN line. CVE-2007-6627: Integer overflow in the RTSP_remove_msg function in RTSP_lowlevel.c in LScube Feng 0.1.15 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an RTP packet with a size value of 0xffff. CVE-2007-6628: LScube Feng 0.1.15 and earlier allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via (1) a malformed Transport header, which triggers misparsing in parse_transport_header in RTSP_setup.c, as demonstrated by a Transport header that contains only a "RTP/AVP;unicast;client_port" sequence; or (2) a malformed Range header, which triggers misparsing in parse_play_time_range in RTSP_Play, as demonstrated by an empty Range header. CVE-2007-6629: Interpretation conflict in LScube Feng 0.1.15 and earlier allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a User-Agent header line that contains a carriage-return character, which is considered a line delimiter when the header is split into individual lines, but not when log_user_agent in RTSP_utils.c parses the content of the User-Agent line. CVE-2007-6630: The Url_init function in utils/url.c in Netembryo 0.0.4, when used by LScube Feng, allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a malformed URI containing a "/:" sequence, as demonstrated by a "DESCRIBE /: RTSP/1.0" request.
Luca, will you go ahead on the masking?
Masked
this has been masked for a half year now... might be time to remove it
Security, this pkg is no longer in portage tree. Please close this bug the way you want. + 12 Dec 2008; <ssuominen@gentoo.org> package.mask: + Removing nemesi and fenice, masked since 05 Jan 2008 for security issues. + They are also deprecated and replaced by libnemesi and feng.
Thanks for the notification, closing as this was ~arch only.