Your message dated Tue, 01 Jul 2008 13:32:09 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#488630: fixed in linuxdcpp 1.0.1-2
has caused the Debian Bug report #488630,
regarding linuxdcpp: Two remote DoS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
488630: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488630
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: linuxdcpp
Version: 1.0.1-1
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
The following email came over one of the security lists:
Hey,
Linux DC++ (linuxdcpp) is a Direct Connect client based on the same
client code as DC++, so it is vulnerable to the recently reported
[1] NULL pointer dereference remote DoS via partial file list requests
http://secunia.com/advisories/30812/
http://sourceforge.net/project/shownotes.php?release_id=608612&group_id=40287
https://bugs.launchpad.net/dcplusplus/+bug/238333 [Can't view]
Patch for linuxdcpp:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/linuxdcpp/linuxdcpp/client/ShareManager.cpp.diff?r1=1.14&r2=1.15&sortby=date
[2] Empty message Remote DoS
When an attacker sends an empty message, he can cause the client to
abort with "std::out_of_range" in substr().
Patch for linuxdcpp:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/linuxdcpp/linuxdcpp/client/NmdcHub.cpp.diff?r1=1.14&r2=1.15&sortby=date
Robert
The patchsets are not included in the current sid version. CVE ids for both DoS
are pending.
Please also upload with high urgency, so that the package hits testing soon.
Cheers
Steffen
--- End Message ---
--- Begin Message ---
Source: linuxdcpp
Source-Version: 1.0.1-2
We believe that the bug you reported is fixed in the latest version of
linuxdcpp, which is due to be installed in the Debian FTP archive:
linuxdcpp0.691_1.0.1-2_all.deb
to pool/main/l/linuxdcpp/linuxdcpp0.691_1.0.1-2_all.deb
linuxdcpp_1.0.1-2.diff.gz
to pool/main/l/linuxdcpp/linuxdcpp_1.0.1-2.diff.gz
linuxdcpp_1.0.1-2.dsc
to pool/main/l/linuxdcpp/linuxdcpp_1.0.1-2.dsc
linuxdcpp_1.0.1-2_amd64.deb
to pool/main/l/linuxdcpp/linuxdcpp_1.0.1-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Beauxis <[EMAIL PROTECTED]> (supplier of updated linuxdcpp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 01 Jul 2008 14:18:16 +0200
Source: linuxdcpp
Binary: linuxdcpp0.691 linuxdcpp
Architecture: source all amd64
Version: 1.0.1-2
Distribution: unstable
Urgency: high
Maintainer: Romain Beauxis <[EMAIL PROTECTED]>
Changed-By: Romain Beauxis <[EMAIL PROTECTED]>
Description:
linuxdcpp - Port of the Windows file-sharing program, DC++
linuxdcpp0.691 - Port of the Windows file-sharing program DC++
Closes: 488630
Changes:
linuxdcpp (1.0.1-2) unstable; urgency=high
.
* Fix two remote DoS. Closes: #488630
Thanks to Steffen Joeris for the accurate report
* Updated standards to 3.8.0
* Added watch file
Checksums-Sha1:
ba7ccf61638ed6634f4ea465f96a4cba524d9e5e 1425 linuxdcpp_1.0.1-2.dsc
ba83242de131a606c673b841de2e8354237cedd6 15858 linuxdcpp_1.0.1-2.diff.gz
313a39eaa78790476e908becdbdf8bdd386f477c 3560 linuxdcpp0.691_1.0.1-2_all.deb
b069373e0f5dca2549e88f6ba2c55b38607f8890 918804 linuxdcpp_1.0.1-2_amd64.deb
Checksums-Sha256:
90921d9e06d75ad5ad0b28b072c7d66f7f73726d75860e9c46e5cddb5225595b 1425
linuxdcpp_1.0.1-2.dsc
0e215afc7cf301b762386ddafd611dd90dffefde77a2391b25546926075981b9 15858
linuxdcpp_1.0.1-2.diff.gz
8b5bd00b3029adea42b6c2d9d001c31495fb79492613d1b9162c531c6de19949 3560
linuxdcpp0.691_1.0.1-2_all.deb
0dbdf118d6de9a433a36880babd83d3bd1907e9e97df8677c1916751b6c447da 918804
linuxdcpp_1.0.1-2_amd64.deb
Files:
e0c4e4abc7a08d7b4804e06f3bcdc1a3 1425 net optional linuxdcpp_1.0.1-2.dsc
24a10a831a82bf766798cb11e6a2b645 15858 net optional linuxdcpp_1.0.1-2.diff.gz
e65c2fed45ab91df92e5e787a32dddb5 3560 net optional
linuxdcpp0.691_1.0.1-2_all.deb
260e79f842ea5e7076b7d6caf09ebee2 918804 net optional
linuxdcpp_1.0.1-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJIajBJAAoJEAC5aaocqV0ZNmYH/2O4yasZY72gAz8hp9gmOco4
TPkRDvjxE+x41VGxx4D7uZxk/E4Q085RCw9tkY56PuN641vxaOk4dwv9W3Su4Z3v
UpwueP70i9DuWnQs/m9ZUpO/RnrNTboGD5dPtQBs+RHng5udhxut03LqLL8WwfIS
s7lM5mf/pSmxXKcK2RMMQV48T6a09GhZQygUKg8jQAzS5Ig3qt4OMyaq9M7RSzE0
hlqRSLfbhZwXvXBFVOYx03UmcJyKJ2P8TXhepn7XMF87oiVAxlToGb9tArJzut/y
0QZIl4qoC8DWXvR/spm4F2qqTa/obayZquF7PYkVkk2WfRloKZNb7b4eRkR8Pt0=
=hnjG
-----END PGP SIGNATURE-----
--- End Message ---
