As usual, this might be vulnerable to the <2.2.0b libtool security issue.
This is CVE-2009-3736 Fixed (both the vulnerability and use of internal libltdl) in siproxd-0.8.0
Ping. Why do we have vulnerable version still in stable? siproxd-0.5.13.ebuild:KEYWORDS="amd64 x86" siproxd-0.7.0.ebuild:KEYWORDS="amd64 x86" siproxd-0.7.1.ebuild:KEYWORDS="~amd64 ~x86" siproxd-0.8.0.ebuild:KEYWORDS="~amd64 ~x86" Adding amd64, x86. If it doesn't work, this will be lastrited.
(In reply to comment #2) > Ping. Why do we have vulnerable version still in stable? Is 0.8.0 not affected?
(In reply to comment #3) > (In reply to comment #2) > > Ping. Why do we have vulnerable version still in stable? > > Is 0.8.0 not affected? > Comment #1 and ebuild seems to suggest so: sed -i 's/libltdl //' Makefile.in Makefile.am
x86 stable
(In reply to comment #5) > x86 stable This version segfaults on our x86-server. emerge --info: Portage 2.1.7.16 (default/linux/x86/10.0, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.16-gentoo-r9 i686) ================================================================= System uname: Linux-2.6.16-gentoo-r9-i686-Intel-R-_Pentium-R-_III_CPU_family_1266MHz-with-gentoo-1.12.13 Timestamp of tree: Sun, 28 Feb 2010 23:15:01 +0000 app-shells/bash: 4.0_p35 dev-lang/python: 2.4.6, 2.5.4-r4, 2.6.4-r1 dev-python/pycrypto: 2.1.0_beta1 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc: 4.1.2, 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo-portage.ipv6.tu-ilmenau.de/mirror/gentoo" LDFLAGS="-Wl,-O1" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://gentoo-portage.ipv6.tu-ilmenau.de/gentoo-portage" USE="acl alsa bzip2 cli cracklib crypt cups cxx dri fortran gd gpm iconv ipv6 mmx modules mudflap ncurses nls nptl nptlonly openmp pam pcre perl pppd pthreads python readline reflection session spl sse ssl sysfs tcpd threads unicode x86 zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY Further tests are no problem because siproxy is not a testing service on this server ;)
(In reply to comment #6) Can you provide more information about the crash, such as when it happens and a stack trace in a separate bug, and make it block this one? Thanks.
> Can you provide more information about the crash, such as when it happens and a > stack trace in a separate bug, and make it block this one? Thanks. siproxd-0.8.0 segfaults also on amd64 with example config. bugreport follows asap.
Feel free to add us back when bug 308495 is solved
(In reply to comment #9) > Feel free to add us back when bug 308495 is solved > stable amd64 keyword dropped then. moving to security@, dunno if they want glsa for these libltdl bugs or not.
Arches, please stabilize net-misc/siproxd-0.8.0-r1 which has a fix for bug 308495. Target keywords: amd64 x86
(In reply to comment #11) > Arches, please stabilize net-misc/siproxd-0.8.0-r1 which has a fix for bug > 308495. > > Target keywords: amd64 x86 If siproxd-0.8.0 still contains bug #308495 it should be removed from portage...
siproxd-0.8.0 will be removed when 0.8.0-r1 is stable on all arches.
amd64 stable, all arches done.
GLSA Vote: no.
Vote: NO, closing noglsa.