Package: libdevel-stacktrace-perl
Version: 1.11-1
Severity: important
Tags: security etch
X-Debbugs-Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]

Quoting 
<http://lists.bestpractical.com/pipermail/rt-announce/2008-June/000158.html>:

> All versions of RT from 3.0.0 to 3.6.6 (including some, but not all RT
> 3.7 development releases) are vulnerable to a potential remote denial
> of service attack which could exhaust virtual memory or consume all
> available CPU resources.  After a detailed analysis, we believe that
> an attacker would need to be a 'Privileged' RT user in order to
> perform an attack.

> We recommend that you install version 1.19 or newer of the Perl module
> Devel::StackTrace from CPAN, which will close the vulnerability.  Two
> methods for doing this are:

[...]

> Installing this newer version of the module is a complete fix, and
> will close the vulnerability.  However, we suggest that you upgrade to
> RT 3.6.7, released last Monday, which provides additional safeguards
> against this type of attack.

The fix can be seen here:

 
http://search.cpan.org/diff?from=Devel-StackTrace-1.18&to=Devel-StackTrace-1.19#lib/Devel/StackTrace.pm

and a fixed version is two days away from entering lenny.

Etch has libdevel-stacktrace-perl 1.11-1, which most probably has the
same bug too, so reporting at that version.

The RT packages concerned are request-tracker3.4 (Etch only) and
request-tracker3.6 (both Etch and lenny/sid). Cc'ing the maintainer
addresses.

I don't understand the issue fully yet, particularly the 'exhaust virtual
memory or consume all available CPU resources' part. I'll get back to
this, but it may take a while. Help would be welcome.

The big question is whether this needs an Etch update. I'm leaving the
severity at 'important' for now, as the security impact seems to be
quite low.

Cc'ing the security team as a heads-up.
-- 
Niko Tyni   [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to