(Sorry for the spam, ugh!) Looking at the ChangeLog at $URL, I see two things that appear security-related. Fixed in 3.9.3 - Fix =NULL= pointer dereference in conf file parser. Problem will arise for all interfaces that at one point might not have an address. Fixed in 3.9.5 - Ported from pimd after CVE-2011-0007: Insecure file creation in /var/tmp. "On USR1, pimd will write to /var/tmp/pimd.dump a dump of the multicast route table. Since /var/tmp is writable by any user, a user can create a symlink to any file he wants to destroy with the content of the multicast routing table."
Stumbled upon this. Arch teams, please test and mark stable: =net-misc/mrouted-3.9.5 Target KEYWORDS="amd64 ppc x86"
amd64 ok
x86 stable
ppc done
amd64 done
Thanks, everyone. GLSA Vote: Yes.
Vote: YES. New GLSA request filed.
Can one of our new scouts check if there is a CVE for this and request one if there is none?
This issue was resolved and addressed in GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml by GLSA coordinator Sean Amoss (ackle).