Ubuntu

FreezeException request-- Sync with Debian unstable

Reported by Kazuhiro NISHIYAMA on 2012-04-10
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
inspircd (Ubuntu)
Undecided
Unassigned

Bug Description

My request is similar to #201941 .
See ​​ http://www.debian.org/security/2012/dsa-2448 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620960 .

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: inspircd (not installed)
ProcVersionSignature: Ubuntu 3.2.0-22.35-generic 3.2.14
Uname: Linux 3.2.0-22-generic x86_64
ApportVersion: 2.0-0ubuntu5
Architecture: amd64
Date: Wed Apr 11 02:20:17 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120301)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=ja_JP.UTF-8
 SHELL=/bin/bash
SourcePackage: inspircd
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Jonathan Wiltshire (jwiltshire) wrote :

You have got to be kidding, a major new upstream sync two weeks before release?

Rather you should prepare a minimal package based on the fix for this DSA and ask your security team/release team to get it in through the normal channels.

Jonathan Wiltshire (jwiltshire) wrote :

The CVE title is "Heap-based buffer overflow in dns.cpp in InspIRCd 2.0.5 might allow remote attackers to execute arbitrary code via a crafted DNS query that uses compression".

The attachment "patch for the DSA" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Daniel Holbach (dholbach) wrote :

> You have got to be kidding, ...

If you have something to say, please say it in a respectful way. I'm sure Kazuhiro Nishiyama had the best intentions when filing this bug report.

Daniel Holbach (dholbach) wrote :

Just looking at the version numbers in the different Ubuntu releases, the patch you mentioned should at least apply for precise, oneiric, natty and lucid. For hardy it is less clear.

Daniel Holbach (dholbach) wrote :

1.1.22+dfsg-4+squeeze1 does not build in precise as-is. It will likely need -4ubuntu1 to build.

Scott Kitterman (kitterman) wrote :

Nack on the FFe from the release team, but we definitely want the security fix before release. Please prepare a merge between the package in Testing and what's in Precise.

Julian Taylor (jtaylor) wrote :

closing as per nack,
bug 982509 for the security update

Changed in inspircd (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers