Summary: | dev-util/tla-1.2-r1 using vulnerable libneon | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | rphillips |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://www.openpkg.org/security/OpenPKG-SA-2004.024-neon.html | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2004-05-20 12:23:24 UTC
Tla 1.2.1pre1 was released by James Blackwell because Tom was offline because he was moving. It fixes this security hole. For more information see this: http://mail.gnu.org/archive/html/gnu-arch-users/2004-04/msg00715.html Tom as later acked this version: http://mail.gnu.org/archive/html/gnu-arch-users/2004-04/msg00716.html Confirmed Fix version is 1.2.1pre1. Ryan : please bump to this version. 1.2.1_pre1 committed. Awaiting GLSA announcement for bug closure. Ready for a GLSA GLSA 200405-25 Carsten Eiram from Secunia brought to our attention that 1.2.1_pre1 includes neon-0.24.5, so it does only solve the string format vuln (CAN-2004-0179) and not the heap overflow (CAN-2004-0398), which needs neon-0.24.6. The OpenPKG advisory uses a "tla-1.2-20040519" as the fix. rphillips : could you clear that up and, if needed, produce a new fix ebuild ? We'll probably have to issue an errata advisory. I looked in http://dailyarch.gnuarch.org/ for the tla snapshot for 20040519. in src/tla/libneon/aclocal.m4 it says that libneon is 0.24.0 still... Also, in the latest snapshot: 20040602. Am I just seeing things? jivera in #arch said that the included neon isn't up to date yet. I think the openpackage advisory might not have gotten the right fix (if there is one). tla-1.2-r2.ebuild has been committed to portage. tla will use the installed neon shared library via the patch included (files/tla-1.2-4.diff.gz) Awaiting GLSA Errata drafted, security, please review. We should remove/mask 1.2.1_pre1 before GLSA release so that this vulnerable version does not get picked up by the emerge ">=dev-util/tla-1.2-r2". Errata GLSA 200405-25:02 Ryan: thank you very much for this quick and efficient fix ! |