| Summary: | net-dns/noip-updater Information Disclosure | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | andrzej.pauli, boothfsec, chris, dragonheart, rossi.f, treecleaner |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://secunia.com/advisories/33687/ | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Robert Buchholz (RETIRED)
2009-03-04 17:15:06 UTC
no upstream release yet. just checked. I'm really not willing to rewrite their http code in C to support https. No upstream fix available. Package is m-n. @security team: p.mask? remove? I created a ticket upstream and they say that an update is on its way however they cannot give an estimated time of when they were going to release it.. I currently have no knowledge of C as to attempt to create a fix myself and probably would be doing more harm than good without the proper knowledge. I did some research into it and the best solution is to remove the package from the portage tree, even if as Daniel suggested we rewrote the client to support https it would not work as NoIP does not have https enabled on the server that receives the requests so essentially the problem is on NoIP's side at this point. Lets remove it then For what it matters they do have an somewhat open API: https://www.noip.com/integrate/request Looks straightforward; if all fails I will try to use it. Some HTTPS POST curl-ing should suffice. (In reply to Francis Booth from comment #3) > I created a ticket upstream and they say that an update is on its way > however they cannot give an estimated time of when they were going to > release it.. I currently have no knowledge of C as to attempt to create a > fix myself and probably would be doing more harm than good without the > proper knowledge. is the ticket public? (In reply to Fabio Rossi from comment #7) > (In reply to Francis Booth from comment #3) > > I created a ticket upstream and they say that an update is on its way > > however they cannot give an estimated time of when they were going to > > release it.. I currently have no knowledge of C as to attempt to create a > > fix myself and probably would be doing more harm than good without the > > proper knowledge. > > is the ticket public? Sadly no, and I don't have the ticket ID anymore since its been 9 months since that ticket had been created but I'm willing to bet if I opened another one they would say the same thing. Doesn't hurt to try though. (In reply to Francis Booth from comment #8) > (In reply to Fabio Rossi from comment #7) > > (In reply to Francis Booth from comment #3) > > > I created a ticket upstream and they say that an update is on its way > > > however they cannot give an estimated time of when they were going to > > > release it.. I currently have no knowledge of C as to attempt to create a > > > fix myself and probably would be doing more harm than good without the > > > proper knowledge. > > > > is the ticket public? > > Sadly no, and I don't have the ticket ID anymore since its been 9 months > since that ticket had been created but I'm willing to bet if I opened > another one they would say the same thing. Doesn't hurt to try though. I opened a ticket the other day and got the same answer. removed Package removed per previous comments. GLSA needed? GLSA Vote: No |
