Dear release team, [Background in #521260] lenny has iodine 0.4.2-2. iodine's server segfaults when a 0.5.x client connects or when a hand-crafted package is sent to it with a script. This can be used for a DoS attack (provided the IP address of the machine running iodined and the relevant domain name is known) and is annoying in general. The bug is fixed in the 0.5.x versions in testing and unstable, and there's also a 0.5.1-2~bpo50+1 package at backports.org. Albert Sellarès has provided a small patch for the 0.4.2 version in #521260 and I can confirm that it works. I've contacted the Security Team to get their opinion, and they suggest an update through stable-proposed-updates. My suggestion is now to prepare a 0.4.2-2~lenny1 package with the mentioned patch for inclusion in the next point release. Would this be ok? Cheers, gregor -- .''`. Home: http://info.comodo.priv.at/{,blog/} / GPG Key ID: 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/ `- NP: Donovan: Celeste
Attachment:
signature.asc
Description: Digital signature