Summary: | <net-misc/openconnect-4.08: Stack-based buffer overflow when processing certain host names, paths, or cookie lists (CVE-2012-6128) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hasufell, mattsch, pacho, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=910330 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 460098 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-02-13 10:49:05 UTC
Version bumping from openconnect-4.07-r3 to openconnect-4.99 will fix the bug. (In reply to comment #1) > Version bumping from openconnect-4.07-r3 to openconnect-4.99 will fix the > bug. Can we get an ebuild for that? (In reply to comment #2) > (In reply to comment #1) > > Version bumping from openconnect-4.07-r3 to openconnect-4.99 will fix the > > bug. > > Can we get an ebuild for that? cp openconnect-4.07-r3.ebuild openconnect-4.99.ebuild. No changes are necessary. (In reply to comment #3) > cp openconnect-4.07-r3.ebuild openconnect-4.99.ebuild. No changes are > necessary. Done. Arches, please test and mark stable: =net-misc/openconnect-4.99 Target keywords : "amd64 x86" amd64 stable x86 stable There is a bit of misunderstanding here I believe. 4.99 is a beta release and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I believe the stabilization target should be 4.08 and not the 4.99. They did the same on the redhat bugzilla. CVE-2012-6128 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6128): Multiple stack-based buffer overflows in http.c in OpenConnect before 4.08 allow remote VPN gateways to cause a denial of service (application crash) via a long (1) hostname, (2) path, or (3) cookie list in a response. (In reply to comment #7) > There is a bit of misunderstanding here I believe. 4.99 is a beta release > and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I > believe the stabilization target should be 4.08 and not the 4.99. They did > the same on the redhat bugzilla. OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please tell what is the way to go) 4.99) (In reply to comment #9) > (In reply to comment #7) > > There is a bit of misunderstanding here I believe. 4.99 is a beta release > > and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I > > believe the stabilization target should be 4.08 and not the 4.99. They did > > the same on the redhat bugzilla. > > OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please > tell what is the way to go) 4.99) ping! I think we should readd arches to stabilize 4.08 and, then, drop 4.99 entirely (In reply to comment #10) > (In reply to comment #9) > > (In reply to comment #7) > > > There is a bit of misunderstanding here I believe. 4.99 is a beta release > > > and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I > > > believe the stabilization target should be 4.08 and not the 4.99. They did > > > the same on the redhat bugzilla. > > > > OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please > > tell what is the way to go) 4.99) > > ping! I think we should readd arches to stabilize 4.08 and, then, drop 4.99 > entirely ok by me (In reply to comment #11) > (In reply to comment #10) > > (In reply to comment #9) > > > (In reply to comment #7) > > > > There is a bit of misunderstanding here I believe. 4.99 is a beta release > > > > and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I > > > > believe the stabilization target should be 4.08 and not the 4.99. They did > > > > the same on the redhat bugzilla. > > > > > > OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please > > > tell what is the way to go) 4.99) > > > > ping! I think we should readd arches to stabilize 4.08 and, then, drop 4.99 > > entirely > > ok by me Good by us. Lets go! Arches, please test and mark stable: =net-misc/openconnect-4.08 Target KEYWORDS: "amd64 x86" x86 stable amd64 stable removal done New GLSA drafted. This issue was resolved and addressed in GLSA 201405-18 at http://security.gentoo.org/glsa/glsa-201405-18.xml by GLSA coordinator Sean Amoss (ackle). |