Summary: | <net-libs/libcapsinetwork-0.3.0-r2: off-by-one error in network code (CVE-2015-0841) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | pinkbyte |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/03/23/20 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-03-24 13:15:18 UTC
+*libcapsinetwork-0.3.0-r2 (24 Apr 2015) + + 24 Apr 2015; Sergey Popov <pinkbyte@gentoo.org> + +libcapsinetwork-0.3.0-r2.ebuild, + +files/libcapsinetwork-0.3.0-CVE-2015-0841.patch: + Revision bump: fix security issue, wrt bug #544324, add multilib support Let's begin stabilization Arches, please test and mark stable =net-libs/libcapsinetwork-0.3.0-r2 Target keywords: amd64 ppc sparc x86 I have contacted with libcapsinetwork's upstream(it's not actually dead). They incorporate changes of this library in their application(games-server/monopd) and they strongly discourage using this standalone library In this circumstances, i think it would be better to just lastrite it - it will not harm too much, as there was no consumers in our portage tree. + 24 Apr 2015; Sergey Popov <pinkbyte@gentoo.org> package.mask: + Mask net-libs/libcapsinetwork The package is gone now. GLSA request is filed This issue was resolved and addressed in GLSA 201507-12 at https://security.gentoo.org/glsa/201507-12 by GLSA coordinator Mikle Kolyada (Zlogene). CVE-2015-0841 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0841): ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. ** TEMPORARY ** There's an off-by-one error in libcapsinetwork network handling code, which was merged into monopd in version 0.9.4. |