On Mon, Apr 27, 2009 at 05:39:48PM +0200, gregor herrmann wrote: > [Background in #521260] > > lenny has iodine 0.4.2-2. iodine's server segfaults when a 0.5.x > client connects or when a hand-crafted package is sent to it > with a script. This can be used for a DoS attack (provided the IP > address of the machine running iodined and the relevant domain name > is known) and is annoying in general. > > The bug is fixed in the 0.5.x versions in testing and unstable, and > there's also a 0.5.1-2~bpo50+1 package at backports.org. > > Albert Sellarès has provided a small patch for the 0.4.2 version in > #521260 and I can confirm that it works. > > I've contacted the Security Team to get their opinion, and they > suggest an update through stable-proposed-updates. > > My suggestion is now to prepare a 0.4.2-2~lenny1 package with the > mentioned patch for inclusion in the next point release. Would this > be ok? I wonder why it's not updated through security, considering that iodine is used for publically, not firewalled services. Apart from that I'm ok with this, provided that the indentation of line 17 in the patch (send_version_response[...]) is corrected. Kind regards, Philipp Kern -- .''`. Philipp Kern Debian Developer : :' : http://philkern.de Stable Release Manager `. `' xmpp:phil@0x539.de Wanna-Build Admin `- finger pkern/key@db.debian.org
Attachment:
signature.asc
Description: Digital signature