Your message dated Thu, 14 Feb 2008 10:00:04 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#447897: speech-dispatcher listens on 0.0.0.0
has caused the Debian Bug report #447897,
regarding speech-dispatcher listens on 0.0.0.0
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
447897: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=447897
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: speech-dispatcher
Version: 0.6.4-2
Severity: important
Tags: security
It is possible to connect to a computer running speech-dispatcher from
any other computer, via port 6560, and produce arbitrary speech output
(and also convert any not-yet-found local root exploit to a remote one),
without any access controls except iptables, and the README file doesn't
warn users about this.
IMHO, the default should be changed, because the majority of users of
speech-dispatcher (i.e., those using it with speechd-up or with brltty)
will need it only on the local interface.
Upstream maintainer is already notified by e-mail, but I got no answer
from him within 5 days.
--
Alexander E. Patrakov
--- End Message ---
--- Begin Message ---
This bug has been fixed upstream in Speech Dispatcher 0.6.6 and so it's
fixed by the yesterday's speech-dispatcher 0.6.6-1 upload.
--- End Message ---