|Summary:||net-proxy/havp < 0.89 sockethandler.cpp Infinite loop DoS (CVE-2008-3688)|
|Product:||Gentoo Security||Reporter:||Per Pomsel <phantom4>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B3 [glsa] Falco|
|Package list:||Runtime testing required:||---|
Description Per Pomsel 2008-08-14 09:16:43 UTC
Version 0.89 of HAVP is out. Reproducible: Always
Comment 1 Raphael Marichez (Falco) (RETIRED) 2008-08-14 14:56:02 UTC
03.08.2008 HAVP 0.89 released - Fix possible retry loop and hang (thanks to Peter Warasin @ endian.it) - Always send Via: header, fixes some IIS problems (e.g. MSNBC) I took the liberty of bumping it since there is no significative change. And it seems it has a security impact. So, reassigning to security. Original advisory is here: https://sourceforge.net/mailarchive/forum.php?thread_name=487CDF51.5060201%40endian.com&forum_name=havp-devel
Comment 2 Raphael Marichez (Falco) (RETIRED) 2008-08-14 14:58:48 UTC
Hi AMD64 team and X86 team, please could you test & stabilize net-proxy/havp-0.89, thanks.
Comment 3 Markus Meier 2008-08-15 18:17:40 UTC
amd64/x86 stable, all arches done.
Comment 4 Raphael Marichez (Falco) (RETIRED) 2008-08-17 22:35:27 UTC
Thanks. Time to vote. I would vote glsa because that kind of DoS is really easy to trigger. But half-yes because of the weak distribution of that software.
Comment 5 Matt Drew (RETIRED) 2008-09-08 17:07:41 UTC
I'll vote yes, because it's a security-specific application - the people that ARE using it need to know.
Comment 6 Pierre-Yves Rofes (RETIRED) 2008-09-18 21:30:21 UTC
yes too, request filed.
Comment 7 Pierre-Yves Rofes (RETIRED) 2008-09-21 17:35:29 UTC