serveez: proposed update for stable and oldstable

Mon, 31 Aug 2009 09:44:02 -0700 

I've prepared a fix for a buffer overflow in serveez (Bug#540657), which
affects both etch and lenny (the package is not in unstable or testing
anymore), and have mailed the security team about it. I was told by Nico
Golde:

  Given the rather low count of serveez installations (4) and that this
  is only one of the functional parts of serveez I propose to update
  this via stable-proposed-updates. I think this doesn't deserve a DSA.

I've attached the debdiffs for etch and lenny (which are pretty much
identical):


diff -u serveez-0.1.5/debian/changelog serveez-0.1.5/debian/changelog
--- serveez-0.1.5/debian/changelog
+++ serveez-0.1.5/debian/changelog
@@ -1,3 +1,9 @@
+serveez (0.1.5-2+etch1) oldstable; urgency=high
+
+  * Applied patch to fix HTTP remote buffer overflow (closes: #540657).
+
+ -- Andreas Rottmann <[email protected]>  Mon, 24 Aug 2009 14:18:33 +0200
+
 serveez (0.1.5-2) unstable; urgency=low
 
   * Added cdbs to Build-Depends (closes: #198091).
only in patch2:
unchanged:
--- serveez-0.1.5.orig/src/http-server/http-core.c
+++ serveez-0.1.5/src/http-server/http-core.c
@@ -773,7 +773,7 @@
       break;
       /* RFC850-Date */
     default:
-      sscanf (date, "%s, %02d-%3s-%02d %02d:%02d:%02d GMT", 
+      sscanf (date, "%9s, %02d-%3s-%02d %02d:%02d:%02d GMT", 
 	      _wkday, &parse_time.tm_mday, _month, &parse_time.tm_year,
 	      &parse_time.tm_hour, &parse_time.tm_min, &parse_time.tm_sec);
 

diff -u serveez-0.1.5/debian/changelog serveez-0.1.5/debian/changelog
--- serveez-0.1.5/debian/changelog
+++ serveez-0.1.5/debian/changelog
@@ -1,3 +1,9 @@
+serveez (0.1.5-2.1+lenny1) stable; urgency=high
+
+  * Applied patch to fix HTTP remote buffer overflow (closes: #540657).
+
+ -- Andreas Rottmann <[email protected]>  Mon, 24 Aug 2009 14:09:52 +0200
+
 serveez (0.1.5-2.1) unstable; urgency=low
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- serveez-0.1.5.orig/src/http-server/http-core.c
+++ serveez-0.1.5/src/http-server/http-core.c
@@ -773,7 +773,7 @@
       break;
       /* RFC850-Date */
     default:
-      sscanf (date, "%s, %02d-%3s-%02d %02d:%02d:%02d GMT", 
+      sscanf (date, "%9s, %02d-%3s-%02d %02d:%02d:%02d GMT", 
 	      _wkday, &parse_time.tm_mday, _month, &parse_time.tm_year,
 	      &parse_time.tm_hour, &parse_time.tm_min, &parse_time.tm_sec);
 

Regards, Rotty
-- 
Andreas Rottmann -- <http://rotty.yi.org/>

Reply via email to