No-IP has determined that the following advisory is applicable to one or more of the systems you have registered. Security Advisory - 2008-11-22 ------------------------------------------------------------------------------ Summary: Important: No-IP Linux DUC (Dynamic Update Client) An updated version of the No-IP Linux Dynamic Update Client that fixes a security issue is now available. This update has been rated as having important security impact. Description: Versions 2.1.1- > 2.1.8 are prone to a stack-based buffer-overflow due to a boundary error when processing HTTP responses received from the update server. This can be exploited and cause a stack-based buffer overflow when performing an update. A malicious user could exploit this by faking the No-IP update server via DNS poisoning or a man in the middle attack. This can cause a denial of service (client crash) or potentially execute arbitrary code on the computer the client is running on. Users running versions 2.1.8 and older are encouraged to upgrade to the most recent version, 2.1.9 at http://www.no-ip.com/downloads?page=linux&av=1 Regards, The No-IP Team Reproducible: Always
Added Secunia link.
*** Bug 248727 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of bug 248758 ***
This is not a duplicate, sorry for the bugspam.
*PING*
*Additional Ping*
CVE-2008-5297 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5297): Buffer overflow in No-IP DUC 2.1.7 and earlier allows remote DNS servers to execute arbitrary code via a crafted DNS response, related to a missing length check in the GetNextLine function.
Created attachment 175075 [details, diff] noip-updater-2.1.9.ebuild.patch since dragonheart is away until the 20th, patch to apply on top of noip-updater-2.1.7-r1
Created attachment 175077 [details] noip-2.1.9-flags.patch updated patch from noip-2.1.3-cflags with added bonus that it respects ldflags.
Created attachment 175079 [details] noip-2.1.9-daemon.patch update patch from noip-2.1.4-daemon.patch
ebuild commited to the tree.
Arches, please test and mark stable: =net-dns/noip-updater-2.1.9 Target keywords : "alpha amd64 ia64 ppc64 sparc x86"
ppc64 done
Stable on alpha.
amd64/x86 stable
ia64/sparc stable
GLSA request filed.
GLSA 200901-12