| Summary: | <net-misc/iodine-0.7.0: authentication bypass by client (CVE-2014-4168) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | proxy-maint, root, vostorga, zx2c4 |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2014/06/16/5 | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
I've reviewed the ebuild and added the version bump plus modified ebuild to my overlay (layman -a xmw) for testing. I'll add it to the tree later. +*iodine-0.7.0 (18 Jul 2014) + + 18 Jul 2014; Michael Weber <xmw@gentoo.org> + +files/iodine-0.7.0-TestMessage.patch, +files/iodined-1.init, + +iodine-0.7.0.ebuild: + Version bump (bug 513560, CVE-2014-4168), EAPI-5, approved by vostoga. + 18 Jul 2014; Michael Weber <xmw@gentoo.org> package.mask: Masked for removal of affected versions in 30 days. Security issue bug 513560 + 07 Sep 2014; Pacho Ramos <pacho@gentoo.org> + -files/iodine-0.5.2-Makefile.patch, -files/iodine-0.6.0_rc1-TestMessage.patch, + -files/iodine-0.6.0_rc1-ifconfig-path.patch, -iodine-0.5.2.ebuild, + -iodine-0.6.0_rc1-r1.ebuild, -iodine-0.6.0_rc1.ebuild: + Remove masked for removal versions + CVE-2014-4168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4168): (1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering. |
From ${URL} : iodine 0.7.0 has just been released, which fixes an authentication bypass issue discovered by Oscar Reparaz. The fix is here: https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850 and the new release is available at the homepage: http://code.kryo.se/iodine/ @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.