Bug#672989: Multiple security issues
Package: connman Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target "stable" Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/672989/ 2: <201101232332.11736.th...@debian.org> 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#672989: [pkg-fso-maint] Bug#672989: Multiple security issues
On Tue, May 15, 2012 at 09:39:06PM +0200, Julien Cristau wrote: > On Tue, May 15, 2012 at 11:44:17 +0200, Moritz Muehlenhoff wrote: > > > Package: connman > > Severity: grave > > Tags: security > > > > > > CVE-2012-2320: Conman doesn't check for the origin of netlink messages > > (from > > https://bugzilla.novell.com/show_bug.cgi?id=715172#c4) > > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=c1b968984212b46bea1330f5ae029507b9bfded9 > > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=b0ec6eb4466acc57a9ea8be52c17b674b6ea0618 > > > > CVE-2012-2321: Check hostname validity prior setting the hostname in > > loopback plug-in: (from > > https://bugzilla.novell.com/show_bug.cgi?id=715172#c4) > > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=26ace5c59f790bce0f1988b88874c6f2c480fd5a > > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=a5f540db7354b76bcabd0a05d8eb8ba2bff4e911 > > > > CVE-2012-2322: DHCPv6 option parsing vulnerable to DoS (endless loop): (from > > https://bugzilla.novell.com/show_bug.cgi?id=715172#c9) > > http://lists.connman.net/pipermail/connman/2012-May/009473.html > > > > Since this package is effectively unmaintained (no upload later than 2010 > > and wy behind > > upstream I suggest to simply remove it for Wheezy?) > > > $ dak rm -Rn -s testing connman > [...] > > Checking reverse dependencies... > # Broken Build-Depends: > fso-gsmd: connman-dev > > Dependency problem found. > > Sebastian, fso folks, is there a way to remove this build-dependency on > connman? Connman support is actually already disabled in fso-gsmd, since fso-gsmd needs at least connman 0.68 and Debian has only 0.48. Thus the build dependency can simply be removed. Can this wait another week? Next week will be a new upstream release of all fso components, which we plan to upload asap to be in time for wheezy. -- Sebastian signature.asc Description: Digital signature
Bug#672989: Multiple security issues
On Tue, May 15, 2012 at 11:44:17 +0200, Moritz Muehlenhoff wrote: > Package: connman > Severity: grave > Tags: security > > > CVE-2012-2320: Conman doesn't check for the origin of netlink messages (from > https://bugzilla.novell.com/show_bug.cgi?id=715172#c4) > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=c1b968984212b46bea1330f5ae029507b9bfded9 > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=b0ec6eb4466acc57a9ea8be52c17b674b6ea0618 > > CVE-2012-2321: Check hostname validity prior setting the hostname in loopback > plug-in: (from > https://bugzilla.novell.com/show_bug.cgi?id=715172#c4) > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=26ace5c59f790bce0f1988b88874c6f2c480fd5a > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=a5f540db7354b76bcabd0a05d8eb8ba2bff4e911 > > CVE-2012-2322: DHCPv6 option parsing vulnerable to DoS (endless loop): (from > https://bugzilla.novell.com/show_bug.cgi?id=715172#c9) > http://lists.connman.net/pipermail/connman/2012-May/009473.html > > Since this package is effectively unmaintained (no upload later than 2010 and > wy behind > upstream I suggest to simply remove it for Wheezy?) > $ dak rm -Rn -s testing connman [...] Checking reverse dependencies... # Broken Build-Depends: fso-gsmd: connman-dev Dependency problem found. Sebastian, fso folks, is there a way to remove this build-dependency on connman? Cheers, Julien signature.asc Description: Digital signature
Bug#672989: Multiple security issues
Package: connman Severity: grave Tags: security CVE-2012-2320: Conman doesn't check for the origin of netlink messages (from https://bugzilla.novell.com/show_bug.cgi?id=715172#c4) http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=c1b968984212b46bea1330f5ae029507b9bfded9 http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=b0ec6eb4466acc57a9ea8be52c17b674b6ea0618 CVE-2012-2321: Check hostname validity prior setting the hostname in loopback plug-in: (from https://bugzilla.novell.com/show_bug.cgi?id=715172#c4) http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=26ace5c59f790bce0f1988b88874c6f2c480fd5a http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=a5f540db7354b76bcabd0a05d8eb8ba2bff4e911 CVE-2012-2322: DHCPv6 option parsing vulnerable to DoS (endless loop): (from https://bugzilla.novell.com/show_bug.cgi?id=715172#c9) http://lists.connman.net/pipermail/connman/2012-May/009473.html Since this package is effectively unmaintained (no upload later than 2010 and wy behind upstream I suggest to simply remove it for Wheezy?) Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org