Le jeudi 26 mars 2015 à 02:23 +0100, Guillaume Delacour a écrit : > Le jeudi 26 mars 2015 à 01:24 +0100, Guillaume Delacour a écrit : > > Hi, > > > > One of upstream author of inspircd has reported [1] that the fix we > > provide in the Debian package for CVE-2012-1836 is incomplete. > > > > I've refreshed the patch 03_CVE-2012-1836.diff to integrate changes for > > src/dns.cpp between 2.0.5 and 2.0.7 as suggested by upstream. > > > > I've uploaded the version 2.0.5-1+deb7u1 on mentors [2] based on the > > Debian developers reference guide [3]. > > I'm sorry but upstream need a bit more time to be sure that the patch > i've made (by importing src/dns.cpp from a newer version as he > suggested) will be sufficient and wont break anything. > > I'll give feedback when me and upstream are sure that the fix (and the > reproducibility of the crash with an exploit) is the right. Upstream confirm me that the fix is correct for this CVE. The package uploaded on mentors was not modified since my first mail and is ready for upload if anybody can/want upload it to stable. In a second stage, upstream show me other [4] security related changes done between the actual 2.0.18 stable and the 2.0.5 shipped in wheezy. Upstream "strongly urge" me to take a look at these commits to evaluate the impact, maybe someone of the security team could help me and upstream to review the impact of them. > > > > > [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780880 > > [2]: > > http://mentors.debian.net/debian/pool/main/i/inspircd/inspircd_2.0.5-1 > > +deb7u1.dsc > > [3]: > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security > > > [4]: https://github.com/Adam-/inspircd/commits/debian7
Attachment:
signature.asc
Description: This is a digitally signed message part