Hi, * Michael S. Gilbert <[email protected]> [2009-05-15 19:45]: > On Fri, 15 May 2009 14:18:26 +0200, Nico Golde wrote: [...] > > turns out my patch has a bug in it which opens this up for a > > buffer overflow again in case strlen(ctcpbuf) returns 0: > > http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/68341 > > > > > > Too bad noone noticed that before. > > I am going to upload a 0-day NMU now to fix this. > > > > debdiff available on: > > http://people.debian.org/~nion/nmu-diff/eggdrop-1.6.19-1.1_1.6.19-1.2.patch > > > > (includes the wrong bug number to close as I tried to reopen it fist but it > > failed because it was already archived). > > does this mean that DSA-1448 needs to be reissued?
Yes > and is that in the works? No > should the etch fixed version get removed from the DSA > list to reindicate that etch is vulnerable? No there will be a -2 DSA if any that reflects the previous fix being incomplete. Cheers Nico P.S. this belongs on the testing-security team mailing list and not to the BTS. -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgp4AcogoXWeo.pgp
Description: PGP signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
