Summary: | <net-misc/iodine-0.7.0: authentication bypass by client (CVE-2014-4168) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | proxy-maint, root, vostorga, zx2c4 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/06/16/5 | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-06-17 11:39:14 UTC
I've reviewed the ebuild and added the version bump plus modified ebuild to my overlay (layman -a xmw) for testing. I'll add it to the tree later. +*iodine-0.7.0 (18 Jul 2014) + + 18 Jul 2014; Michael Weber <xmw@gentoo.org> + +files/iodine-0.7.0-TestMessage.patch, +files/iodined-1.init, + +iodine-0.7.0.ebuild: + Version bump (bug 513560, CVE-2014-4168), EAPI-5, approved by vostoga. + 18 Jul 2014; Michael Weber <xmw@gentoo.org> package.mask: Masked for removal of affected versions in 30 days. Security issue bug 513560 + 07 Sep 2014; Pacho Ramos <pacho@gentoo.org> + -files/iodine-0.5.2-Makefile.patch, -files/iodine-0.6.0_rc1-TestMessage.patch, + -files/iodine-0.6.0_rc1-ifconfig-path.patch, -iodine-0.5.2.ebuild, + -iodine-0.6.0_rc1-r1.ebuild, -iodine-0.6.0_rc1.ebuild: + Remove masked for removal versions + CVE-2014-4168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4168): (1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering. |