Comment 1 SpanKY 2012-06-14 00:25:38 UTC

Commit message: Version bump
http://sources.gentoo.org/sys-apps/xinetd/xinetd-2.3.15.ebuild?rev=1.1

Comment 2 Sean Amoss (RETIRED) 2012-06-15 14:16:34 UTC

Thanks for the report, Hans.

@base-system, may we proceed to stabilize =sys-apps/xinetd-2.3.15 ?

Comment 3 GLSAMaker/CVETool Bot 2012-06-15 19:00:27 UTC

CVE-2012-0862 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0862):
  builtins.c in Xinetd before 2.3.15 does not check the service type when the
  tcpmux-server service is enabled, which exposes all enabled services and
  allows remote attackers to bypass intended access restrictions via a request
  to tcpmux port 1.

Comment 4 SpanKY 2012-06-15 20:16:52 UTC

(In reply to comment #2)

should be fine

Comment 5 Sean Amoss (RETIRED) 2012-06-15 21:35:35 UTC

Arches, please test and mark stable:

=sys-apps/xinetd-2.3.15

Target KEYWORDS="alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 6 Agostino Sarubbo 2012-06-16 13:11:01 UTC

amd64 stable

Comment 7 Jeff (JD) Horelick (RETIRED) 2012-06-17 05:36:32 UTC

x86 stable

Comment 8 Jeroen Roovers (RETIRED) 2012-06-18 23:20:35 UTC

Stable for HPPA.

Comment 9 Markus Meier 2012-06-21 04:41:10 UTC

arm stable

Comment 10 Raúl Porcel (RETIRED) 2012-06-23 17:18:15 UTC

alpha/ia64/m68k/s390/sh/sparc

Comment 11 Brent Baude (RETIRED) 2012-07-03 16:02:26 UTC

ppc done

Comment 12 Kacper Kowalik (Xarthisius) (RETIRED) 2012-09-20 12:05:09 UTC

ppc64 stable, last arch done

Comment 13 Tim Sammut (RETIRED) 2012-09-20 23:33:18 UTC

Thanks, folks. GLSA Vote: yes.

Comment 14 Stefan Behte (RETIRED) 2012-12-16 21:59:18 UTC

Vote: NO!

...does not check the service type when the tcpmux-server service is enabled...
So this seems to be C4 rather then B4 anyways.

Comment 15 Stefan Behte (RETIRED) 2012-12-16 22:00:56 UTC

Defaults from from /etc/xinetd.d/tcpmux-server:

service tcpmux
{
        disable         = yes

Changing to C4. Closing noglsa.