From ${URL} : An incomplete fix for CVE-2016-4356 was reported in libksba. The old fix for the problem from April 2015 had an off-by-one in the bad encoding handing. Upstream fix: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=6be61daac047d8e6aa941eb103f8e71a1d4e3c75 CVE assignment: http://seclists.org/oss-sec/2016/q2/300 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Version bump to 1.3.4. Changes are trivial, can we wait few days to see if there are issues?
Hi, Please stabilize. Thanks!
Stable on alpha.
Stable for PPC64.
arm stable
amd64 stable
Stable for HPPA.
x86 stable
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
CVE-2016-4574 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4574): Off-by-one error in the append_utf8_value function in the DN decoder (dn.c) in Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read) via invalid utf-8 encoded data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-4356.
Re-designating again. This is a potential DoS. @maintainer(s), please clean the vulnerable version so we can close this.
(In reply to Aaron Bauman from comment #13) > Re-designating again. This is a potential DoS. > > @maintainer(s), please clean the vulnerable version so we can close this. Done, thanks!
(In reply to Alon Bar-Lev from comment #14) > (In reply to Aaron Bauman from comment #13) > > Re-designating again. This is a potential DoS. > > > > @maintainer(s), please clean the vulnerable version so we can close this. > > Done, thanks! Thanks!