Arch teams, please test and mark stable: =net-dns/libidn-1.32-r1 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Libidn NEWS -- History of user-visible changes. -*- outline -*- Copyright (C) 2002-2016 Simon Josefsson See the end for copying conditions. * Version 1.33 (released 2016-07-20) [beta] ** libidn: Fix out-of-bounds stack read in idna_to_ascii_4i. See tests/tst_toascii64oob.c for regression check (and the comment in it how to use it). Reported by Hanno Böck <hanno@hboeck.de>. ** idn: Solve out-of-bounds-read when reading one zero byte as input. Also replaced fgets with getline. Reported by Hanno Böck <hanno@hboeck.de>. ** libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was always documented to only accept UTF-8 data, but now it doesn't crash when presented with such data. Reported by Hanno Böck. ** Dropped valgrind suppressions file, should no longer be needed. ** API and ABI is backwards compatible with the previous version.
Stable for HPPA PPC64.
arm stable
Stable on alpha.
Stable for AMD64 x86.
sparc stable
ppc stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Tobias Klausmann from comment #4) > Stable on alpha. commit d6dafb3fe044e95fdc1d71c343c0848c0849fe8e Author: Tobias Klausmann <klausman@gentoo.org> Date: Tue Jul 26 14:40:59 2016 +0200 net-dns/libidn-1.32-r1: add alpha keyword Gentoo-Bug: 589304 That was the wrong version.
(In reply to Agostino Sarubbo from comment #8) > ia64 stable. > > Maintainer(s), please cleanup. Keywords for net-dns/libidn: | a a a h i p p s x m a m n r s s | e u s | r | l m r p a p p p 8 i r 6 i i 3 h | a n l | e | p d m p 6 c c a 6 p m 8 o s 9 | p u o | p | h 6 a 4 6 r s 6 k s c 0 | i s t | o | a 4 4 c 4 2 v | e | | | d | -----------+---------------------------------+-------+------- 1.30 | + + + + + + + + + ~ ~ ~ o o ~ ~ | 5 # 0 | gentoo 1.32-r1 | + ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o o ~ ~ | 5 o | gentoo [I]1.33 | ~ + + + + + + + + ~ ~ ~ o o ~ ~ | 6 o | gentoo
(In reply to Jeroen Roovers from comment #9) > (In reply to Tobias Klausmann from comment #4) > > Stable on alpha. > > commit d6dafb3fe044e95fdc1d71c343c0848c0849fe8e > Author: Tobias Klausmann <klausman@gentoo.org> > Date: Tue Jul 26 14:40:59 2016 +0200 > > net-dns/libidn-1.32-r1: add alpha keyword > > Gentoo-Bug: 589304 > > That was the wrong version. Fixed.
GLSA Vote: No
CVE-2016-6263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6263): The stringprep_utf8_nfkc_normalize function in lib/nfkc.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted UTF-8 data. CVE-2016-6262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6262): idn in libidn before 1.33 might allow remote attackers to obtain sensitive memory information by reading a zero byte as input, which triggers an out-of-bounds read, a different vulnerability than CVE-2015-8948. CVE-2016-6261 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6261): The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via 64 bytes of input.
Removing aliases for tracker