From an email announcement to the zebedee list:
After a break of nearly two years there are two new versions of the Zebedee
Secure Tunnel available.
Version 2.4.1A contains a very small fix for a possible "denail of service"
attack that can crash Zebedee. The Windows binary package has also been linked
with the latest versions of the zlib and bzip2 libraries. In the case of zlib
this contains security fixes and some possible performace improvements.
Version 2.5.3 is the latest "development" version. It contains the same security
bug-fix as 2.4.1A but also fixes other bugs including a long-standing problem
with "reverse mode" tunnelling under Windows. Full details are in the
CHANGES.txt file within the release.
Both versions are available via http://winton.org.uk/zebedee or for
Steps to Reproduce:
Note: includes a fix for a DOS vulnerability.
Bumped both versions in cvs, 2.4.1-r1 is x86 stable because of the DOS
Thanks for reporting!
More info on the other DoS issue here:
zebedee-2.5.3 stable on alpha
Time for GLSA decision on this one. I tend to vote NO.
This is a untrusted-network-facing service so I tend to vote yes.
Well if no auth is necessary I agree with half YES.
I would vote a weak YES.
Let's have one.
zebedee is still missing x86 stable keyword.
2.4.1-r1 is stable on x86. What version needs to be stabilized, then?
Exactly: 2.4.x is the stable branch and 2.5.x is the development branch. 2.4.1A
(2.4.1-r1) fixes the issue for 2.4.1 and 2.5.3 fixes the issue for 2.5.2.
Oops, sorry for the confusion.
zebedee depends on zlib so this is just about the DoS.
s390 should mark stable to benefit from GLSA