Package: libdevel-stacktrace-perl Version: 1.11-1 Severity: important Tags: security etch X-Debbugs-Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Quoting <http://lists.bestpractical.com/pipermail/rt-announce/2008-June/000158.html>: > All versions of RT from 3.0.0 to 3.6.6 (including some, but not all RT > 3.7 development releases) are vulnerable to a potential remote denial > of service attack which could exhaust virtual memory or consume all > available CPU resources. After a detailed analysis, we believe that > an attacker would need to be a 'Privileged' RT user in order to > perform an attack. > We recommend that you install version 1.19 or newer of the Perl module > Devel::StackTrace from CPAN, which will close the vulnerability. Two > methods for doing this are: [...] > Installing this newer version of the module is a complete fix, and > will close the vulnerability. However, we suggest that you upgrade to > RT 3.6.7, released last Monday, which provides additional safeguards > against this type of attack. The fix can be seen here: http://search.cpan.org/diff?from=Devel-StackTrace-1.18&to=Devel-StackTrace-1.19#lib/Devel/StackTrace.pm and a fixed version is two days away from entering lenny. Etch has libdevel-stacktrace-perl 1.11-1, which most probably has the same bug too, so reporting at that version. The RT packages concerned are request-tracker3.4 (Etch only) and request-tracker3.6 (both Etch and lenny/sid). Cc'ing the maintainer addresses. I don't understand the issue fully yet, particularly the 'exhaust virtual memory or consume all available CPU resources' part. I'll get back to this, but it may take a while. Help would be welcome. The big question is whether this needs an Etch update. I'm leaving the severity at 'important' for now, as the security impact seems to be quite low. Cc'ing the security team as a heads-up. -- Niko Tyni [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]