Summary: | <net-irc/bip-0.8.9: Denial of Service (CVE-2011-5268,CVE-2013-4550) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Mikle Kolyada (RETIRED) <zlogene> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | maintainer-needed |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2013/q4/250 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Mikle Kolyada (RETIRED)
2013-11-08 19:29:38 UTC
CVE-2013-4550 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4550): Bip before 0.8.9, when running as a daemon, writes SSL handshake errors to an unexpected file descriptor that was previously associated with stderr before stderr has been closed, which allows remote attackers to write to other sockets and have an unspecified impact via a failed SSL handshake. CVE-2011-5268 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5268): connection.c in Bip before 0.8.9 does not properly close sockets, which allows remote attackers to cause a denial of service (file descriptor consumption and crash) via multiple failed SSL handshakes. Multiple CVEs fixed in 0.8.9, so adding 2011-5628. CCing treecleaners as nobody is taking care of this Bumped: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f388a3351b0bfdb1233211eefbc1e0d98b892190 Arch teams, please test and stabilise net-irc/bip-0.8.9. Target KEYWORDS="amd64 x86". Thanks! amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Remove old. GLSA Vote: No Thank you all. Closing as noglsa. |