Your message dated Sat, 5 Nov 2005 17:45:37 +0100 with message-id <[EMAIL PROTECTED]> and subject line junkbuster issue was already adressed by DSA-713 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 15 Apr 2005 14:20:41 +0000 >From [EMAIL PROTECTED] Fri Apr 15 07:20:41 2005 Return-path: <[EMAIL PROTECTED]> Received: from mrelay3.uni-hannover.de [130.75.2.41] (root) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DMRgX-0002GN-00; Fri, 15 Apr 2005 07:20:41 -0700 Received: from mail.itp.uni-hannover.de (mail.itp.uni-hannover.de [130.75.25.242]) by mrelay3.uni-hannover.de (8.12.10/8.12.10) with ESMTP id j3FEKY9e004979 for <[EMAIL PROTECTED]>; Fri, 15 Apr 2005 16:20:34 +0200 (MEST) Received: from pleione.itp.uni-hannover.de (pleione.itp.uni-hannover.de [130.75.25.99]) by mail.itp.uni-hannover.de (Postfix) with ESMTP id 4B98F1B5E2; Fri, 15 Apr 2005 16:20:30 +0200 (CEST) Received: by pleione.itp.uni-hannover.de (Postfix, from userid 237) id 1E5A55F48; Fri, 15 Apr 2005 16:20:30 +0200 (CEST) From: Helge Kreutzmann <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: junkbuster: Attacker might be able to modify settings X-Mailer: reportbug 1.50 Date: Fri, 15 Apr 2005 16:20:30 +0200 Message-Id: <[EMAIL PROTECTED]> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.2.2 (mrelay3.uni-hannover.de [130.75.2.41]); Fri, 15 Apr 2005 16:20:34 +0200 (MEST) X-Scanned-By: MIMEDefang 2.42 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_01,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: junkbuster Version: 2.0.2-0.2 Severity: grave Tags: security, woody Justification: user security hole According to http://lwn.net/Alerts/131964/ JunkBuster is vulnerable to a heap corruption vulnerability, and under certain configurations may allow an attacker to modify settings. Impact ====== If JunkBuster has been configured to run in single-threaded mode, an attacker can disable or modify the filtering of Referrer: HTTP headers, potentially compromising the privacy of users. The heap corruption vulnerability could crash or disrupt the operation of the proxy, potentially executing arbitrary code. The fix can probably taken from the above Gentoo security advisory. You might want to track http://lwn.net/Articles/131972/ for other vendors responses. Please also check if the successor, privoxy, is impacted as well. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux pleione 2.4.26-grsec #1 Tue Aug 10 15:42:40 CEST 2004 i686 Locale: LANG=en_US, LC_CTYPE=en_US --------------------------------------- Received: (at 304793-done) by bugs.debian.org; 5 Nov 2005 16:45:59 +0000 >From [EMAIL PROTECTED] Sat Nov 05 08:45:59 2005 Return-path: <[EMAIL PROTECTED]> Received: from mrelay3.uni-hannover.de [130.75.2.41] (root) by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EYRB0-0008WH-00; Sat, 05 Nov 2005 08:45:59 -0800 Received: from mail.itp.uni-hannover.de (mail.itp.uni-hannover.de [130.75.25.242]) by mrelay3.uni-hannover.de (8.12.10/8.12.10) with ESMTP id jA5GjqJ3013419; Sat, 5 Nov 2005 17:45:52 +0100 (MET) Received: from zibal.itp.uni-hannover.de (zibal.itp.uni-hannover.de [130.75.25.91]) by mail.itp.uni-hannover.de (Postfix) with ESMTP id 7174B1B735; Sat, 5 Nov 2005 17:45:47 +0100 (CET) Received: by zibal.itp.uni-hannover.de (Postfix, from userid 237) id 179AD1A6CC; Sat, 5 Nov 2005 17:45:37 +0100 (CET) Date: Sat, 5 Nov 2005 17:45:37 +0100 From: Helge Kreutzmann <[EMAIL PROTECTED]> To: Moritz Muehlenhoff <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: junkbuster issue was already adressed by DSA-713 Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline In-Reply-To: <[EMAIL PROTECTED]> User-Agent: Mutt/1.4.2.1i X-Public-Key-URL: http://www.itp.uni-hannover.de/~kreutzm/data/kreutzm.gpg X-homepage: http://www.itp.uni-hannover.de/~kreutzm X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.2.2 (mrelay3.uni-hannover.de [130.75.2.41]); Sat, 05 Nov 2005 17:45:52 +0100 (MET) X-Scanned-By: MIMEDefang 2.42 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no version=2.60-bugs.debian.org_2005_01_02 --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Version: 2.0.2-0.2woody1 Hello Moritz, On Wed, Nov 02, 2005 at 10:24:44AM +0100, Moritz Muehlenhoff wrote: > this issue is CVE-2005-1109 and was addressed by DSA-713 from 2005-04-13. > Do you have reason to believe that the fix used there was incomplete? (actually CVE-2005-1108 as well). No, I simply missed it. Thus closing. Greetings Helge --=20 Dr. Helge Kreutzmann, Dipl.-Phys. [EMAIL PROTECTED] er.de gpg signed mail preferred=20 64bit GNU powered http://www.itp.uni-hannover.de/~kreu= tzm Help keep free software "libre": http://www.ffii.de/ --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDbOGwRsxcY/MYpWoRAiclAJ4sGwAxkYQIZrIoPLY0iQ2s5qyohwCggcCz 76WPxPf//f+HVXTgP/qCEG0= =gJYp -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]