[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Request to update iodine in lenny

Dear release team,

[Background in #521260]

lenny has iodine 0.4.2-2. iodine's server segfaults when a 0.5.x 
client connects or when a hand-crafted package is sent to it
with a script. This can be used for a DoS attack (provided the IP    
address of the machine running iodined and the relevant domain name
is known) and is annoying in general.

The bug is fixed in the 0.5.x versions in testing and unstable, and  
there's also a 0.5.1-2~bpo50+1 package at backports.org.

Albert Sellarès has provided a small patch for the 0.4.2 version in
#521260 and I can confirm that it works.

I've contacted the Security Team to get their opinion, and they
suggest an update through stable-proposed-updates.

My suggestion is now to prepare a 0.4.2-2~lenny1 package with the
mentioned patch for inclusion in the next point release. Would this
be ok?

 .''`.   Home: http://info.comodo.priv.at/{,blog/} / GPG Key ID: 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
   `-    NP: Donovan: Celeste

Attachment: signature.asc
Description: Digital signature

Reply to: