Multiple security vulnerabilities
Bug #271025 reported by
Scott Kitterman
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libspf2 (Ubuntu) |
Fix Released
|
High
|
Scott Kitterman | ||
Dapper |
Fix Released
|
Undecided
|
Unassigned | ||
Feisty |
Fix Released
|
Undecided
|
Unassigned | ||
Gutsy |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned | ||
Intrepid |
Fix Released
|
High
|
Scott Kitterman |
Bug Description
Security changes in the new upcoming release are:
1) responsebuf is now dynamically allocated, avoiding a buffer overrun found and published by openwave.
2) txt record lengths are now handled properly, avoiding a remote exploit.
#2 is the private one.
I have the code and will prepare debdiffs. I don't have a precise embargo date for this yet. Still working on that.
CVE References
description: | updated |
Changed in libspf2: | |
assignee: | nobody → kitterman |
status: | Triaged → In Progress |
Changed in libspf2: | |
status: | In Progress → Fix Committed |
status: | In Progress → Fix Committed |
status: | In Progress → Fix Committed |
status: | In Progress → Fix Committed |
Changed in libspf2: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Re: Releasing new libspf2 into debian
Date: Thu Sep 18 11:33:01 2008
From: Shevek <email address hidden>
To: Scott Kitterman <email address hidden>
CC: Magnus Holmgren <email address hidden>
On Thu, 2008-09-18 at 11:18 -0400, Scott Kitterman wrote:
> On Thursday 18 September 2008 10:02, Shevek wrote:
> > Hi,
> >
> > People are asking me about making this vuln public. How long do you want
> > until you're ready to roll with a fix? You'll still need most of
> > Magnus's debian patches if you're only replacing that one file.
> >
> > S.
>
> For Ubuntu, I can probably get inputs to the security team today. They
> generally need 24-48 hours to get things rolled out. Unfortunately I'm
> leaving town in the morning and will be off the grid for a week (I'd thought
> this would wait until I got back). The Ubuntu development release doesn't
> promise any level of security goodness, so I'll get 1.2.6 into it once I get
> back (hopefully via Debian if Magnus gets it uploaded).
>
> I'll give the Ubuntu security team your name/address as a POC in my absence
> and make sure you know who to email before I go.
I'm still waiting to hear back from Dan, but CERT want to make this into
a CVE. I'm also travelling for work next week, although I'll be on
email, I hope.
I'm tempted to put this out as a quiet security update in both
distributions, preferably in advance of the fanfare, I don't want a CVE
coming out before Debian have released the patch. On the other hand, I
have agreed to wait for Dan.
S.