Summary: | <net-ftp/atftp-0.7.2-r2: Denial of service vulnerability (CVE-2020-6097) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | klausman, martin.dummer, proxy-maint |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: |
net-ftp/atftp-0.7.2-r2 amd64 arm ppc ppc64 x86
|
Runtime testing required: | --- |
Description
Sam James
2020-09-11 02:34:49 UTC
A patch is available here. Not assessed it. https://sourceforge.net/p/atftp/code/merge-requests/3/. ping The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb0a9a8269b01b991bb14c1382058d84de966ea2 commit fb0a9a8269b01b991bb14c1382058d84de966ea2 Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2021-01-12 11:54:22 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2021-01-12 11:55:58 +0000 net-ftp/atftp: Add -r addressing CVE 2020-6097 Patch sourced from: https://sourceforge.net/u/peterkaestle/atftp/ci/96409ef3b9ca061f9527cfaafa778105cf15d994/ Bug: https://bugs.gentoo.org/741566 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> net-ftp/atftp/atftp-0.7.2-r2.ebuild | 68 ++++++++++++++++ .../atftp/files/atftp-0.7.2-cve-2020-6097.patch | 92 ++++++++++++++++++++++ 2 files changed, 160 insertions(+) Thank you! Let us know when ready to stable. Let's have -r2 soak for ten days (until 2021-01-22), then I'll make this a stablereq. Prospective arches are amd64, arm, ppc, ppc64, x86 (i.e. the current stable set for -r1). (In reply to Tobias Klausmann from comment #5) > Let's have -r2 soak for ten days (until 2021-01-22), then I'll make this a > stablereq. Prospective arches are amd64, arm, ppc, ppc64, x86 (i.e. the > current stable set for -r1). Sure, thank you! Ready? Arches, please test and mark stable: =net-ftp/atftp-0.7.2-r2 As this is a security bug, please let the security team handle things once the last arch is done (i.e. don't close the bug). amd64 stable ppc64 done ppc done arm done x86 stable. Maintainer(s), please cleanup. Security, please vote. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20c34541d0263f7ac9637a4c75cbe9a724628f7d commit 20c34541d0263f7ac9637a4c75cbe9a724628f7d Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2021-01-26 18:18:08 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2021-01-26 18:18:08 +0000 net-ftp/atftp: Remove old version (0.7.2-r1) Bug: https://bugs.gentoo.org/show_bug.cgi?id=741566 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> net-ftp/atftp/atftp-0.7.2-r1.ebuild | 67 ------------------------------------- 1 file changed, 67 deletions(-) Thank you! |