From $URL : Hi, during the triage of the SSL client bugs spotted by the http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf paper Debian developer Alessandro Ghedini discovered two more applications using Curl in an insecure manner: 1. opendnssec (in the eppclient tool) http://lists.opendnssec.org/pipermail/opendnssec-user/2012-November/002296.html
Per the release notes[0] eppclient has been removed since 1.4.0rc1. @maintainer, please cleanup vulnerable ebuilds (<1.4.7). [0]: https://github.com/opendnssec/opendnssec/blob/7e0ca962fb219f13842174b2984fbcb3ffb7b171/NEWS#L229
I cleaned it up and pushed a patched version (1.3.18-r1). Would be good if you reviewed the patch: files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch TIA ;)
(In reply to Marc Schiffbauer from comment #2) > I cleaned it up and pushed a patched version (1.3.18-r1). > > Would be good if you reviewed the patch: > files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch > > TIA ;) Marc, looks good to me :) Thanks for the fix and bump.
