Your message dated Sat, 5 Nov 2005 17:45:37 +0100
with message-id <[EMAIL PROTECTED]>
and subject line junkbuster issue was already adressed by DSA-713
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Apr 2005 14:20:41 +0000
>From [EMAIL PROTECTED] Fri Apr 15 07:20:41 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mrelay3.uni-hannover.de [130.75.2.41] (root)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DMRgX-0002GN-00; Fri, 15 Apr 2005 07:20:41 -0700
Received: from mail.itp.uni-hannover.de (mail.itp.uni-hannover.de
[130.75.25.242])
by mrelay3.uni-hannover.de (8.12.10/8.12.10) with ESMTP id
j3FEKY9e004979
for <[EMAIL PROTECTED]>; Fri, 15 Apr 2005 16:20:34 +0200 (MEST)
Received: from pleione.itp.uni-hannover.de (pleione.itp.uni-hannover.de
[130.75.25.99])
by mail.itp.uni-hannover.de (Postfix) with ESMTP
id 4B98F1B5E2; Fri, 15 Apr 2005 16:20:30 +0200 (CEST)
Received: by pleione.itp.uni-hannover.de (Postfix, from userid 237)
id 1E5A55F48; Fri, 15 Apr 2005 16:20:30 +0200 (CEST)
From: Helge Kreutzmann <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: junkbuster: Attacker might be able to modify settings
X-Mailer: reportbug 1.50
Date: Fri, 15 Apr 2005 16:20:30 +0200
Message-Id: <[EMAIL PROTECTED]>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.2.2
(mrelay3.uni-hannover.de [130.75.2.41]); Fri, 15 Apr 2005 16:20:34 +0200 (MEST)
X-Scanned-By: MIMEDefang 2.42
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_01,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: junkbuster
Version: 2.0.2-0.2
Severity: grave
Tags: security, woody
Justification: user security hole
According to
http://lwn.net/Alerts/131964/
JunkBuster is vulnerable to a heap corruption vulnerability, and under
certain configurations may allow an attacker to modify settings.
Impact
======
If JunkBuster has been configured to run in single-threaded mode, an
attacker can disable or modify the filtering of Referrer: HTTP
headers,
potentially compromising the privacy of users. The heap corruption
vulnerability could crash or disrupt the operation of the proxy,
potentially executing arbitrary code.
The fix can probably taken from the above Gentoo security advisory.
You might want to track http://lwn.net/Articles/131972/ for other
vendors responses.
Please also check if the successor, privoxy, is impacted as well.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pleione 2.4.26-grsec #1 Tue Aug 10 15:42:40 CEST 2004 i686
Locale: LANG=en_US, LC_CTYPE=en_US
---------------------------------------
Received: (at 304793-done) by bugs.debian.org; 5 Nov 2005 16:45:59 +0000
>From [EMAIL PROTECTED] Sat Nov 05 08:45:59 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mrelay3.uni-hannover.de [130.75.2.41] (root)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EYRB0-0008WH-00; Sat, 05 Nov 2005 08:45:59 -0800
Received: from mail.itp.uni-hannover.de (mail.itp.uni-hannover.de
[130.75.25.242])
by mrelay3.uni-hannover.de (8.12.10/8.12.10) with ESMTP id
jA5GjqJ3013419;
Sat, 5 Nov 2005 17:45:52 +0100 (MET)
Received: from zibal.itp.uni-hannover.de (zibal.itp.uni-hannover.de
[130.75.25.91])
by mail.itp.uni-hannover.de (Postfix) with ESMTP
id 7174B1B735; Sat, 5 Nov 2005 17:45:47 +0100 (CET)
Received: by zibal.itp.uni-hannover.de (Postfix, from userid 237)
id 179AD1A6CC; Sat, 5 Nov 2005 17:45:37 +0100 (CET)
Date: Sat, 5 Nov 2005 17:45:37 +0100
From: Helge Kreutzmann <[EMAIL PROTECTED]>
To: Moritz Muehlenhoff <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: junkbuster issue was already adressed by DSA-713
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw"
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.4.2.1i
X-Public-Key-URL: http://www.itp.uni-hannover.de/~kreutzm/data/kreutzm.gpg
X-homepage: http://www.itp.uni-hannover.de/~kreutzm
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.2.2
(mrelay3.uni-hannover.de [130.75.2.41]); Sat, 05 Nov 2005 17:45:52 +0100 (MET)
X-Scanned-By: MIMEDefang 2.42
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Version: 2.0.2-0.2woody1
Hello Moritz,
On Wed, Nov 02, 2005 at 10:24:44AM +0100, Moritz Muehlenhoff wrote:
> this issue is CVE-2005-1109 and was addressed by DSA-713 from 2005-04-13.
> Do you have reason to believe that the fix used there was incomplete?
(actually CVE-2005-1108 as well). No, I simply missed it. Thus
closing.
Greetings
Helge
--=20
Dr. Helge Kreutzmann, Dipl.-Phys. [EMAIL PROTECTED]
er.de
gpg signed mail preferred=20
64bit GNU powered http://www.itp.uni-hannover.de/~kreu=
tzm
Help keep free software "libre": http://www.ffii.de/
--GvXjxJ+pjyke8COw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDbOGwRsxcY/MYpWoRAiclAJ4sGwAxkYQIZrIoPLY0iQ2s5qyohwCggcCz
76WPxPf//f+HVXTgP/qCEG0=
=gJYp
-----END PGP SIGNATURE-----
--GvXjxJ+pjyke8COw--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
