Description A vulnerability with an unknown impact has been reported in GNU Gatekeeper. The vulnerability is caused due to an unspecified error. No further information is currently available. The vulnerability is reported in versions prior to 3.1. Solution Update to version 3.1.
http://www.openwall.com/lists/oss-security/2012/08/25/4: "Could you please shed some light on the security issue? is it related to the status port connection limit feature that was recently added in [2] and similar?" "But you are right, the possibility to create an unlimited number of connections each with its own thread handling it is the issue that creates an easy possibility for a DOS attack."
(In reply to comment #1) > http://www.openwall.com/lists/oss-security/2012/08/25/4: > > "Could you please shed some light on the security issue? is it related to > the > status port connection limit feature that was recently added in [2] and > similar?" > > "But you are right, the possibility to create an unlimited number of > connections each with its own thread handling it is the issue that > creates an easy possibility for a DOS attack." I didn't look at oss-security ~3 since the package is only ~arch
CVE-2012-3534 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3534): GNU Gatekeeper before 3.1 does not limit the number of connections to the status port, which allows remote attackers to cause a denial of service (connection and thread consumption) via a large number of connections.
gnugk-3.2.2 is now in CVS. Older versions cannot be dropped yet, because pwlib->ptlib (bug 290062) / openh323->h323plus (bug 290063) migration is not complete.
This is the second security bug in less than 24 hours that you have closed improperly. Stop.
(In reply to comment #5) > This is the second security bug in less than 24 hours that you have closed > improperly. Stop. What you did in bug 430718? Seems your criteria is random. Also, I don't see interest to punt vulnerable version for packages evaluated as "A" and now, you are reopening this bug for a ~arch package only? :D
(In reply to Chí-Thanh Christopher Nguyễn from comment #4) > gnugk-3.2.2 is now in CVS. > Older versions cannot be dropped yet, because pwlib->ptlib (bug 290062) / > openh323->h323plus (bug 290063) migration is not complete. The old packges (masked since 11 July 2013) have been treecleaned. dev-libs/pwlib net-libs/openh323 <=net-libs/opal-2.2.11 <=net-voip/ekiga-2.0.12 <=net-voip/gnugk-2.2.8 <=net-voip/openmcu-2.2.1 <=net-voip/yate-2.0.0 Perhaps that means this bug can be closed?
Dion, Thank you for cleanup. No stable version ~ no glsa needed.