| Summary: | net-analyzer/fprobe: unspecified security fix | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Luke Macken (RETIRED) <lewk> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | squinky86 |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://sourceforge.net/project/shownotes.php?group_id=63535&release_id=269809 | ||
| Whiteboard: | C? [glsa?] lewk | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Luke Macken (RETIRED)
2004-09-27 08:18:28 UTC
squinky86, please bump to 1.0.6. Stable x86, vulnerable versions removed, ready for GLSA. Thanks lewk :) Hmmm... short of analyzing the changes in the new version and determine what has been fixed, I would say we can't issue a GLSA for that. I'd drop a line to the maintainer (sla@users.sourceforge.net) and just ask him for clarification. Dropped a line upstream to find out some more details of this "security fix" so we can decide if we want to issue a GLSA for this or not. Upstream responded with these details: The idea of "change user" security fix consist in changing EUID in each thread independently of main thread. This is workaround for clone(2)-based threads (eg. Linux 2.4.x), where thread actually a lightweight process, so changing EUID in main thread doesn't influence on child threads. Therefore in previous version potential-vulnerable capture thread always works with EUID 0, without regard to '-u' parameter. Security, vote on GLSA? Closing without GLSA |