[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Please unblock ircd-ratbox 3.0.6.dfsg-2



Coin,

Short version:

ircd-ratbox (3.0.6.dfsg-2) unstable; urgency=high

  * Added 'gnutls_tryconn_double_cb_call' patch to fix password
    disclosure when s2s link fails.
  * Added missing build-dependency: pkg-config.
  * Corrected init.d LSB problems:
    + init.d-script-missing-dependency-on-remote_fs
    + missing $time (to avoid TS protocol disturbance)
  * Took over the maintenance with nohar's blessing.

 -- Marc Dequènes (Duck) <Duck@DuckCorp.org>  Mon, 06 Dec 2010 02:10:10 +0100

Long version:

As i was working to get two servers link with SSL, i made a network trace and discovered my server password was leaked clearly on the network. Upstream people did not care much about it, so i decided to have a look in the code myself. A few days ago, i made a one-liner patch which solves only the security problem, and i think it should be included.

Unfortunately, while preparing an upload, i discovered the package also suffered from another problem: the pkg-config build dependency was missing for ages. When i started uploading with SSL support, it made a big difference because the configure script had no fallback in this situation and ignored SSL without complaining. Nevetheless uploaded binary packages had such support, alternatively on i386 and amd64, depending on which one we uploaded from. Even if the s2s SSL link probably won't work in any configuration (at least using GNUTLS), the c2s connections work very well since a long time. I then dicided to add this build-dependency, which should have been there from the start.

By the way, i corrected a problem in the init.d LSB headers, which are considered important matters since insserv has been pushed.

As Nohar won't have any time or interest in this package anymore, i also changed the maintainer field, which is not a big deal.

I hope these fixes can be pushed into Squeeze. However that may be, thanks for your work on this request.

Regards.

--
Marc Dequènes (Duck)

Attachment: pgpMxgHZ9EzTT.pgp
Description: PGP Digital Signature


Reply to: