from ${URL}: Hello, bip 0.8.8 and earlier contains an issue where failed SSL handshakes result in a resource leak. A remote attacker can use this flaw to cause bip to run out of resources, resulting in a denial of service. Upstream bug: https://projects.duckcorp.org/issues/261 Fixed by the following commit in 0.8.9: https://projects.duckcorp.org/projects/bip/repository/revisions/df45c4c2d6f892e3e1dec23ce0ed2575b53a7d8c Downstream bug: https://bugs.launchpad.net/ubuntu/precise/+source/bip/+bug/1247888 Could a CVE please be assigned to this issue? Thanks, Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
CVE-2013-4550 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4550): Bip before 0.8.9, when running as a daemon, writes SSL handshake errors to an unexpected file descriptor that was previously associated with stderr before stderr has been closed, which allows remote attackers to write to other sockets and have an unspecified impact via a failed SSL handshake. CVE-2011-5268 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5268): connection.c in Bip before 0.8.9 does not properly close sockets, which allows remote attackers to cause a denial of service (file descriptor consumption and crash) via multiple failed SSL handshakes.
Multiple CVEs fixed in 0.8.9, so adding 2011-5628.
CCing treecleaners as nobody is taking care of this
Bumped: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f388a3351b0bfdb1233211eefbc1e0d98b892190 Arch teams, please test and stabilise net-irc/bip-0.8.9. Target KEYWORDS="amd64 x86". Thanks!
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Remove old.
GLSA Vote: No Thank you all. Closing as noglsa.