On Wed, May 04, 2005 at 10:00:34PM +0200, Moritz Muehlenhoff wrote: > In gmane.linux.debian.devel.release, you wrote: > > leafnode 1.11.1.rel-1 is already in testing. :)
> But it might need another update; 1.11.2 fixes a DoS vulnerability > in fetchnews with relatively minor impact. That has now been uploaded for unstable. Quoting the upstream changelog, the bugs in question are: | - Fix fetchnews segfault when connection to server dies while fetchnews is | reading an article body (use-after-free bug). Regression introduced into | leafnode v1.9.52. Denial of service possible, see leafnode-SA-2005-01.txt. | - Fix fetchnews segfault when connection to server dies while fetchnews is | reading an article header. Regression in security fix of leafnode v1.9.48. | Denial of service possible, see leafnode-SA-2005-01.txt Unfortunately, the 1.11.2 release also includes some other fixes that aren't security related, though they can produce a noticable improvement in the bandwidth usage in some circumstances: | - fetchnews will no longer re-fetch the active file for a server if it | has been completely received even if fetching articles from this server | encounters a problem. Long-standing bug. Debian bug #70052. | - fetchnews will now properly mark the active for complete re-fetch if it says | so. Previously, it forgot the mark in some circumstances. | - A problem fetching the active file or descriptions for a newly added server | will now mark the active for re-fetch even if articles have successfully | been retrieved from the same server. (there is also a trivial update to the German man page, plus some fixes for use after frees that didn't get noted in the release notes.) I consider this second set of fixes useful and desirable but it's hard to make a case for them being critical for sarge. Unless the release team is willing to make an exception due to the security issues I will try to extract the appropriate fixes and produce a backport for sarge over the weekend (unless of course that wouldn't be accepted either). -- "You grabbed my hand and we fell into it, like a daydream - or a fever." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
