From ${URL} : iodine 0.7.0 has just been released, which fixes an authentication bypass issue discovered by Oscar Reparaz. The fix is here: https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850 and the new release is available at the homepage: http://code.kryo.se/iodine/ @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
I've reviewed the ebuild and added the version bump plus modified ebuild to my overlay (layman -a xmw) for testing. I'll add it to the tree later.
http://git.overlays.gentoo.org/gitweb/?p=dev/xmw.git;a=tree;f=net-misc/iodine;
+*iodine-0.7.0 (18 Jul 2014) + + 18 Jul 2014; Michael Weber <xmw@gentoo.org> + +files/iodine-0.7.0-TestMessage.patch, +files/iodined-1.init, + +iodine-0.7.0.ebuild: + Version bump (bug 513560, CVE-2014-4168), EAPI-5, approved by vostoga. + 18 Jul 2014; Michael Weber <xmw@gentoo.org> package.mask: Masked for removal of affected versions in 30 days. Security issue bug 513560
+ 07 Sep 2014; Pacho Ramos <pacho@gentoo.org> + -files/iodine-0.5.2-Makefile.patch, -files/iodine-0.6.0_rc1-TestMessage.patch, + -files/iodine-0.6.0_rc1-ifconfig-path.patch, -iodine-0.5.2.ebuild, + -iodine-0.6.0_rc1-r1.ebuild, -iodine-0.6.0_rc1.ebuild: + Remove masked for removal versions +
CVE-2014-4168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4168): (1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering.
