From ${URL} : Affected software: cxxtools Description: By sending a crafted HTTP query parameter containing two percent signs in a row, URL parsing would enter an infinite recursive loop, leading to a crash. This allows a remote attacker to DOS the server. Affected versions: current releases (<= 2.2) Fixed in version: 2.2.1 Fix: https://github.com/maekitalo/cxxtools/commit/142bb2589dc184709857c08c1e10570947c444e3 Release notes: http://www.tntnet.org/download/cxxtools-2.2.1/Releasenotes-2.2.1.markdown Reported by: Julian Wiesener @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
bumped to cxxtools-2.2.1 stabilizing is not needed, previus versions run on ~ARCH in all attached arches anyway, i will add it to my ToDo list for stabilisation due the 30 day period thanks for reporting this...
(In reply to Joerg Bornkessel from comment #1) > bumped to cxxtools-2.2.1 > > stabilizing is not needed, previus versions run on ~ARCH in all attached > arches > > anyway, i will add it to my ToDo list for stabilisation due the 30 day period > > thanks for reporting this... This is not multislot package, so we actually HAVE previous version(even if it's previous major version) in stable. And thus - it requires stabilization. So, question - is it ready for it or no? You do not have to wait 30 days, cause it's security issue, but you should check if there some breakages that major version could bring in stable tree(as usual).
stable amd64 x86 done cleanup old cxxtools-2.x major release cxxtools-1.4.8 is still in the tree, because of unresolved ARCH dependency in dev-libs/tntnet ### I think there is also a securety problem on dev-libs/tntnet reported here --> http://www.tntnet.org/download/tntnet-2.2.1/Releasenotes-2.2.1.html - racing condition may result in a pthread unlock error - in some circumstances request headers are not cleared correctly and hence may occur in subsequent requests again - changing the root dir of tntnet did not work iam added for now the dev-libs/tntnet-2.2.1 please let me know, if we need also a stabilization the result from this would be, we could remove all old major releases from dev-libs/tntnet dev-libs/cxxtools
The old cxxtools version doesn't even build for me currently :(
Stabilizing: dev-libs/tntnet-2.2.1 dev-libs/cxxtools-2.2.1 Will fix all issues
(In reply to Pacho Ramos from comment #5) > Stabilizing: > dev-libs/tntnet-2.2.1 > dev-libs/cxxtools-2.2.1 > > Will fix all issues both packages are stable now on amd64, x86 ....
CVE-2013-7298 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7298): query_params.cpp in cxxtools before 2.2.1 allows remote attackers to cause a denial of service (infinite recursion and crash) via an HTTP query that contains %% (double percent) characters.
@maintainers, please remove vulnerable version (1.4.8) from tree as the previous dependency issue was resolved.
cleanup old, done...