Bug#725370: pu: package xinetd/1:2.3.14-7.1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I'd like to propose an upgrade of xinetd.
There is a security bug, not so severe CVE-2013-4342
handled in #324678
However the bug is closed only in unstable. The version in stable is
different, so the patch needs to be applied to that version too.
The patch is quite trivial, I attach the one I used in unstable, the one
needed in stable needs to be applied to a different line.
Do you think it is a good idea to upgrade it?
If you agree, Salvatore Bonaccorso offered himself to sponsor the upload.
Bye
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.11.2a (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Description: can set uid for tcpmux
This patch fixes CVE-2013-4342, by allowing TCPMUX to be used
under a different user.
Origin: other, https://github.com/xinetd-org/xinetd/pull/10/files
Reviewed-By: Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>
.
xinetd (1:2.3.15-2) unstable; urgency=high
.
* Fix CVE-2013-4342 making TCPMUX services change the uid.
(Closes: #324678)
Author: https://github.com/octurite
Bug-Debian: http://bugs.debian.org/324678
Last-Update: 2013-10-03
--- xinetd-2.3.15.orig/xinetd/builtins.c
+++ xinetd-2.3.15/xinetd/builtins.c
@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct
if( SC_IS_INTERNAL( scp ) ) {
SC_INTERNAL(scp, nserp);
} else {
- exec_server(nserp);
+ child_process(nserp);
}
}
Reply to: