Bug#708515: Bug #708515 in Debian
Thomas Goirand wrote: I was wondering if you could help me here. I'm worried about this new bug in Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708515 The CVE and bug are lacking a bit of information, but it really looks like a duplicate of Debian bug 700240 (CVE-2013-0270): large POST requests consuming server memory/CPU. Both would be mitigated by a request-limiting front-end (for Folsom and before) or the sizelimit middleware (for Grizzly and after), which were suggested as workarounds for CVE-2013-0270 already. Already CVE-2013-0247 and CVE-2013-0270 were duplicates. Is it possible that CVE-2013-2014 is also a duplicate of the same issue? CVE-2013-0247 is not a duplicate of CVE-2013-0270. CVE-2013-0270: Large POST consuming memory/CPU CVE-2013-0247: Malicious POST to /tokens consuming disk space Hope this helps, -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703242: [openstack-dev] Bug#703242: Bugging issue with nova-consoleauth on newest nova build 2012.1.1-15
Thomas Goirand wrote: Vish, TTX, Michael, do you know if this will happen anytime soon? Or do you think that the patch from Jules is actually ok, and I should apply it and release it in Debian? I really need your input here. I'll look into it and try to corner Michael, Vish and the Essex stable maintenance folks about it today. Cheers, -- Thierry Carrez (ttx) Release Manager, OpenStack -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#495235: Tomcat 5.5 still doesn't accept JREs
reopen 495235 severity important thanks The applied fix allows tomcat5.5 to run with openjdk-6-jdk, however it is not enough to make it accept openjdk-6-jre for running (which is the title of this bug). There is a check in tomcat5.5.init that ensures that the chosen JVM is a JDK and not a JRE. That check needs to be removed if you want to support running with a JRE (using libecj-java as the JSP compiler). See http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=jre.diff;att=1;bug=495235 for a patch. -- Thierry Carrez -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494504: Patches
Digging in the Apache Tomcat SVN and commit logs revealed the following 5.5.x fixes: CVE-2008-1232: http://svn.apache.org/viewvc?rev=680947view=rev CVE-2008-2370: http://svn.apache.org/viewvc?view=revrevision=680949 CVE-2008-2938: http://svn.apache.org/viewvc?view=revrevision=681065 Hopes this helps. -- Thierry Carrez Ubuntu server team -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#485439: nagios3: XSS vulnerabilities in CGI scripts (CVE-2007-5803)
Package: nagios3 Version: 3.0.1-1 Severity: grave Tags: security Justification: user security hole Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5803 Nagios 3.0.2 was released to address this issue in the 3.x line. http://www.nagios.org/development/history/nagios-3x.php -- System Information: Debian Release: lenny/sid APT prefers hardy-updates APT policy: (500, 'hardy-updates'), (500, 'hardy-security'), (500, 'hardy-proposed'), (500, 'hardy') Architecture: amd64 (x86_64) Kernel: Linux 2.6.24-18-generic (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]