| Summary: | sys-block/nbd Buffer overflow (CVE-2005-3534) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | kutsuya |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.debian.org/security/2005/dsa-924 | ||
| Whiteboard: | C1? [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-12-21 11:51:28 UTC
base-system please advise and provide updated ebuilds if necessary. the CVE seems to be wrong, but maybe that helps: http://sourceforge.net/mailarchive/forum.php?thread_id=9201144&forum_id=40388 2.8.2-r1 in portage with fix Arches please test and mark stable. amd64 stable Stable on ppc. x86 stable ready for glsa Forwarding this from #gentoo: Yoe: Hi! I'm the maintainer of the NBD utilities (not in Gentoo; upstream, and in Debian). There's been a security issue with that one, and Gentoo is preparing a GLSA. Yoe: However, they're not doing it right; the update is preparing with 2.8.2, but you need at least 2.8.3 to plug the hole. Yoe: I sent mail to dercorney@gentoo.org with that information (who's declared it "ready for GLSA"), but I'd like to avoid that you guys get it wrong. Could anyone please add some comment to that bug? (1) it's CVE-2005-3534 rather than 3354, and (2) you need NBD 2.8.3 to plug the hole, rather than 2.8.2; the latter is still vulnerable. Thanks for the headsup, the mail didn't make it through, i'm sorry (maybe because email addy was wrong?). We ship 2.8.2-r1, -r1 for revision one, including a security patch - so in fact we should be fine here and can keep the GLSA status. Updating CVE number. GLSA 200512-14 |