Description: 1) The library may perform certain actions prior to validating the authentication of a connecting user, which can be exploited to e.g. disclose certain information about already connected users. 2) It's possible to cause an internal ID counter to overflow, which can be exploited to e.g. hijack another user's session. The weaknesses are reported in version 1.3.13. Other versions may also be affected. Solution: Fixed in the GIT repository.
+*net6-1.3.14 (31 Oct 2011) + + 31 Oct 2011; Kacper Kowalik <xarthisius@gentoo.org> -net6-1.3.13.ebuild, + -files/net6-1.3.13-gnutls3.patch, +net6-1.3.14.ebuild: + Version bump, contains fixes for CVE-2011-4093 and CVE-2011-4091, drop old @security: ready for arches to be cc'ed
Thanks. Arches, please test and mark stable: =net-libs/net6-1.3.14 target KEYWORDS="amd64 hppa ppc x86"
00:22 <ago> rdep net6 00:22 <willikins> No packages have a reverse RDEPEND on net-libs/net6. amd64 ok based on compile test.
(In reply to comment #3) > 00:22 <ago> rdep net6 > 00:22 <willikins> No packages have a reverse RDEPEND on net-libs/net6. Willikins lied to you :) 10:25 <@xarthisius> !rdep net6 10:25 <+willikins> xarthisius: Reverse RDEPEND for net-libs/net6: net-libs/obby-0.4.6-r1 net-libs/obby-0.4.7 net-misc/sobby-0.4.7
obby compiles fine, sobby is ~arch. amd64 ok
ditto Ago
Stable for HPPA.
x86 stable
+ 02 Nov 2011; Kacper Kowalik <xarthisius@gentoo.org> -net6-1.3.9.ebuild, + -files/net6-1.3.9-libgnutls.patch: + Marked stable on AMD64 based on arch testing by Agostino ago Sarubbo & Ian + Delaney in bug #389125. ppc stable, drop old @security All arches done
> @security > All arches done Thanks folks. Added glsa vote request
Thanks, folks. GLSA vote: yes.
(In reply to comment #11) > Thanks, folks. GLSA vote: yes. I'm not sure if GLSA is a good place to do it, but I'd be grateful if you could copy elog message from pkg_postinst[1]. It's not enough to just emerge new version. TIA! [1] elog "Please note that because of the use of C++ templates" elog "Gobby 0.4 has to be recompiled against the new ${PN}" elog "to pick up the changes."
Vote: NO.
Vote: no. Closing noglsa
CVE-2011-4093 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4093): Integer overflow in inc/server.hpp in libnet6 (aka net6) before 1.3.14 might allow remote attackers to hijack connections and gain privileges as other users by making a large number of connections until the overflow occurs and an ID of another user is provided. CVE-2011-4091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4091): The libobby server in inc/server.hpp in libnet6 (aka net6) before 1.3.14 does not perform authentication before checking the user name, which allows remote attackers to obtain sensitive information such as server-usage patterns by a particular user and color preferences.