[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: nufw stable update for CVE-2007-5723

On Wed, Jan 09, 2008 at 12:46:03PM +0100, Nico Golde wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for nufw some time ago.
> CVE-2007-5723[0]:
> | Heap-based buffer overflow in the samp_send function in nuauth/sasl.c
> | in NuFW before 2.2.7 allows remote attackers to cause a denial of
> | service via unspecified input on which base64 encoding is performed.
> | NOTE: some of these details are obtained from third party information.
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable. It does
> not warrant a DSA.
> However it would be nice if this could get fixed via a regular point update[1].
> Please contact the release team for this.

While I'm perfectly ok for a regular point update, there is a problem :
version in stable (etch) is 1.0.23, which is unmaintained upstream, and
has security problems. It will be extremely difficult to extract a
patch, given the number of changes in the code.
The good thing to do would be to package the 2.2.x branch, which is
technically easy (I maintain packages for etch on packages.inl.fr, and
upgrade from 1.x is not a problem), but would require a package upgrade.

Would it be ok to package a recent version, and propose it on
stable-updates ?


Attachment: signature.asc
Description: Digital signature

Reply to: