Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 105115

Summary: net-misc/zebedee: Denial of Service
Product: Gentoo Security Reporter: Bill Kenworthy <bill>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: vanquirius
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://sourceforge.net/projects/zebedee
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Bill Kenworthy 2005-09-06 23:34:22 UTC 
From an email announcement to the zebedee list:

After a break of nearly two years there are two new versions of the Zebedee
Secure Tunnel available.
 
Version 2.4.1A contains a very small fix for a possible "denail of service"
attack that can crash Zebedee. The Windows binary package has also been linked
with the latest versions of the zlib and bzip2 libraries. In the case of zlib
this contains security fixes and some possible performace improvements.
 
Version 2.5.3 is the latest "development" version. It contains the same security
bug-fix as 2.4.1A but also fixes other bugs including a long-standing problem
with "reverse mode" tunnelling under Windows. Full details are in the
CHANGES.txt file within the release.
 
Both versions are available via http://winton.org.uk/zebedee or for
http://sourceforge.net/projects/zebedee.
 
    Neil

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Note: includes a fix for a DOS vulnerability.
Comment 1 Marcelo Goes (RETIRED) gentoo-dev 2005-09-07 09:06:09 UTC 
Bumped both versions in cvs, 2.4.1-r1 is x86 stable because of the DOS
vulnerability.
Thanks for reporting!
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-09 23:16:13 UTC 
More info on the other DoS issue here: 
 
http://www.securityfocus.com/archive/1/410157/30/0/
Comment 3 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-09-10 10:20:10 UTC 
zebedee-2.5.3 stable on alpha
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-10 23:05:29 UTC 
Time for GLSA decision on this one. I tend to vote NO.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-09-11 02:39:30 UTC 
This is a untrusted-network-facing service so I tend to vote yes.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-11 02:42:01 UTC 
Well if no auth is necessary I agree with half YES.
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-14 03:15:38 UTC 
I would vote a weak YES.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-09-14 03:16:47 UTC 
Let's have one.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-09-14 03:18:17 UTC 
zebedee is still missing x86 stable keyword.
Comment 10 Chris Gianelloni (RETIRED) gentoo-dev 2005-09-15 06:47:38 UTC 
2.4.1-r1 is stable on x86.  What version needs to be stabilized, then?
Comment 11 Marcelo Goes (RETIRED) gentoo-dev 2005-09-15 08:47:02 UTC 
Exactly: 2.4.x is the stable branch and 2.5.x is the development branch. 2.4.1A
(2.4.1-r1) fixes the issue for 2.4.1 and 2.5.3 fixes the issue for 2.5.2.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-09-16 01:11:50 UTC 
Oops, sorry for the confusion.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-09-19 01:13:41 UTC 
zebedee depends on zlib so this is just about the DoS.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-09-20 07:00:49 UTC 
GLSA 200509-14
s390 should mark stable to benefit from GLSA