Ubuntu
inspircd package

FreezeException request-- Sync with Debian unstable

Bug #978206 reported by Kazuhiro NISHIYAMA
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
inspircd (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

My request is similar to #201941 .
See ​​ http://www.debian.org/security/2012/dsa-2448 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620960 .

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: inspircd (not installed)
ProcVersionSignature: Ubuntu 3.2.0-22.35-generic 3.2.14
Uname: Linux 3.2.0-22-generic x86_64
ApportVersion: 2.0-0ubuntu5
Architecture: amd64
Date: Wed Apr 11 02:20:17 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120301)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=ja_JP.UTF-8
 SHELL=/bin/bash
SourcePackage: inspircd
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Revision history for this message
Jonathan Wiltshire (jwiltshire) wrote :

You have got to be kidding, a major new upstream sync two weeks before release?

Rather you should prepare a minimal package based on the fix for this DSA and ask your security team/release team to get it in through the normal channels.

Revision history for this message
Jonathan Wiltshire (jwiltshire) wrote :

The CVE title is "Heap-based buffer overflow in dns.cpp in InspIRCd 2.0.5 might allow remote attackers to execute arbitrary code via a crafted DNS query that uses compression".

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "patch for the DSA" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Daniel Holbach (dholbach) wrote :

> You have got to be kidding, ...

If you have something to say, please say it in a respectful way. I'm sure Kazuhiro Nishiyama had the best intentions when filing this bug report.

Revision history for this message
Daniel Holbach (dholbach) wrote :

Just looking at the version numbers in the different Ubuntu releases, the patch you mentioned should at least apply for precise, oneiric, natty and lucid. For hardy it is less clear.

Revision history for this message
Daniel Holbach (dholbach) wrote :

1.1.22+dfsg-4+squeeze1 does not build in precise as-is. It will likely need -4ubuntu1 to build.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Nack on the FFe from the release team, but we definitely want the security fix before release. Please prepare a merge between the package in Testing and what's in Precise.

Revision history for this message
Julian Taylor (jtaylor) wrote :

closing as per nack,
bug 982509 for the security update

Changed in inspircd (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.