Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 105115 - net-misc/zebedee: Denial of Service
Summary: net-misc/zebedee: Denial of Service
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2005-09-06 23:34 UTC by Bill Kenworthy
Modified: 2007-06-24 23:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Bill Kenworthy 2005-09-06 23:34:22 UTC
From an email announcement to the zebedee list:

After a break of nearly two years there are two new versions of the Zebedee
Secure Tunnel available.
Version 2.4.1A contains a very small fix for a possible "denail of service"
attack that can crash Zebedee. The Windows binary package has also been linked
with the latest versions of the zlib and bzip2 libraries. In the case of zlib
this contains security fixes and some possible performace improvements.
Version 2.5.3 is the latest "development" version. It contains the same security
bug-fix as 2.4.1A but also fixes other bugs including a long-standing problem
with "reverse mode" tunnelling under Windows. Full details are in the
CHANGES.txt file within the release.
Both versions are available via or for

Reproducible: Always
Steps to Reproduce:

Note: includes a fix for a DOS vulnerability.
Comment 1 Marcelo Goes (RETIRED) gentoo-dev 2005-09-07 09:06:09 UTC
Bumped both versions in cvs, 2.4.1-r1 is x86 stable because of the DOS
Thanks for reporting!
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-09 23:16:13 UTC
More info on the other DoS issue here: 
Comment 3 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-09-10 10:20:10 UTC
zebedee-2.5.3 stable on alpha
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-10 23:05:29 UTC
Time for GLSA decision on this one. I tend to vote NO. 
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-09-11 02:39:30 UTC
This is a untrusted-network-facing service so I tend to vote yes.
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-11 02:42:01 UTC
Well if no auth is necessary I agree with half YES. 
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-14 03:15:38 UTC
I would vote a weak YES.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-09-14 03:16:47 UTC
Let's have one.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-09-14 03:18:17 UTC
zebedee is still missing x86 stable keyword.
Comment 10 Chris Gianelloni (RETIRED) gentoo-dev 2005-09-15 06:47:38 UTC
2.4.1-r1 is stable on x86.  What version needs to be stabilized, then?
Comment 11 Marcelo Goes (RETIRED) gentoo-dev 2005-09-15 08:47:02 UTC
Exactly: 2.4.x is the stable branch and 2.5.x is the development branch. 2.4.1A
(2.4.1-r1) fixes the issue for 2.4.1 and 2.5.3 fixes the issue for 2.5.2.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-09-16 01:11:50 UTC
Oops, sorry for the confusion.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-09-19 01:13:41 UTC
zebedee depends on zlib so this is just about the DoS.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-09-20 07:00:49 UTC
GLSA 200509-14
s390 should mark stable to benefit from GLSA