A security issue has been reported in No-IP Dynamic Update Client, which can be exploited by malicious people to disclose sensitive information. The security issue is caused due to the application submitting user credentials over HTTP when sending a status update to the hosted service. The security issue is confirmed in No-IP Linux Dynamic Update Client 2.1.9. Other versions may also be affected. SOLUTION: No solution is currently available. PROVIDED AND/OR DISCOVERED BY: Fabio Pinheiro
no upstream release yet. just checked. I'm really not willing to rewrite their http code in C to support https.
No upstream fix available. Package is m-n. @security team: p.mask? remove?
I created a ticket upstream and they say that an update is on its way however they cannot give an estimated time of when they were going to release it.. I currently have no knowledge of C as to attempt to create a fix myself and probably would be doing more harm than good without the proper knowledge.
I did some research into it and the best solution is to remove the package from the portage tree, even if as Daniel suggested we rewrote the client to support https it would not work as NoIP does not have https enabled on the server that receives the requests so essentially the problem is on NoIP's side at this point.
Lets remove it then
For what it matters they do have an somewhat open API: https://www.noip.com/integrate/request Looks straightforward; if all fails I will try to use it. Some HTTPS POST curl-ing should suffice.
(In reply to Francis Booth from comment #3) > I created a ticket upstream and they say that an update is on its way > however they cannot give an estimated time of when they were going to > release it.. I currently have no knowledge of C as to attempt to create a > fix myself and probably would be doing more harm than good without the > proper knowledge. is the ticket public?
(In reply to Fabio Rossi from comment #7) > (In reply to Francis Booth from comment #3) > > I created a ticket upstream and they say that an update is on its way > > however they cannot give an estimated time of when they were going to > > release it.. I currently have no knowledge of C as to attempt to create a > > fix myself and probably would be doing more harm than good without the > > proper knowledge. > > is the ticket public? Sadly no, and I don't have the ticket ID anymore since its been 9 months since that ticket had been created but I'm willing to bet if I opened another one they would say the same thing. Doesn't hurt to try though.
(In reply to Francis Booth from comment #8) > (In reply to Fabio Rossi from comment #7) > > (In reply to Francis Booth from comment #3) > > > I created a ticket upstream and they say that an update is on its way > > > however they cannot give an estimated time of when they were going to > > > release it.. I currently have no knowledge of C as to attempt to create a > > > fix myself and probably would be doing more harm than good without the > > > proper knowledge. > > > > is the ticket public? > > Sadly no, and I don't have the ticket ID anymore since its been 9 months > since that ticket had been created but I'm willing to bet if I opened > another one they would say the same thing. Doesn't hurt to try though. I opened a ticket the other day and got the same answer.
removed
Package removed per previous comments. GLSA needed?
GLSA Vote: No