Original libneon bug #51490
As of May 5th website at http://arch.quackerhead.com/~lord/ promises a security update for the previous libneon vulnerability.
Tla 1.2.1pre1 was released by James Blackwell because Tom was offline because he was moving. It fixes this security hole. For more information see this:
Tom as later acked this version:
Fix version is 1.2.1pre1.
Ryan : please bump to this version.
1.2.1_pre1 committed. Awaiting GLSA announcement for bug closure.
Ready for a GLSA
Carsten Eiram from Secunia brought to our attention that 1.2.1_pre1 includes neon-0.24.5, so it does only solve the string format vuln (CAN-2004-0179) and not
the heap overflow (CAN-2004-0398), which needs neon-0.24.6.
The OpenPKG advisory uses a "tla-1.2-20040519" as the fix.
rphillips : could you clear that up and, if needed, produce a new fix ebuild ?
We'll probably have to issue an errata advisory.
I looked in http://dailyarch.gnuarch.org/ for the tla snapshot for 20040519.
in src/tla/libneon/aclocal.m4 it says that libneon is 0.24.0 still... Also, in the latest snapshot: 20040602. Am I just seeing things?
jivera in #arch said that the included neon isn't up to date yet. I think the openpackage advisory might not have gotten the right fix (if there is one).
tla-1.2-r2.ebuild has been committed to portage. tla will use the installed neon shared library via the patch included (files/tla-1.2-4.diff.gz)
Errata drafted, security, please review.
We should remove/mask 1.2.1_pre1 before GLSA release so that this vulnerable version does not get picked up by the emerge ">=dev-util/tla-1.2-r2".
Errata GLSA 200405-25:02
Ryan: thank you very much for this quick and efficient fix !