Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service
Ola Lundqvist ha scritto: Sure. In that case where do I upload it. To lenny-proposed-updates? stable-proposed-updates for lenny and oldstable-proposed-updates for etch.[1] Please contact the stable release team before you upload. [1]http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service
Hi Giuseppe Thanks a lot for the report. The attached patch should solve this problem. To the security team. Do you want me to upload this to stable in addition to unstable? Please also review if you think this solution is good enough? // Ola On Mon, Aug 24, 2009 at 08:46:17AM +0200, Giuseppe Iuculano wrote: Package: ntop Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for ntop. CVE-2009-2732[0]: | The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier | allows remote attackers to cause a denial of service (NULL pointer | dereference and daemon crash) via an Authorization HTTP header that | lacks a : (colon) character in the base64-decoded string. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2732 http://security-tracker.debian.net/tracker/CVE-2009-2732 Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkqSNzUACgkQNxpp46476aqaRwCePEnRlTpotXKtcCnxSRnqbSoX imEAnRKiKt/JAzk57KKzHsAMFEo/v66K =DhPT -END PGP SIGNATURE- -- - Ola Lundqvist --- / o...@debian.org Annebergsslingan 37 \ | o...@inguza.com 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- --- http.c~ 2007-06-09 16:33:45.0 +0200 +++ http.c 2009-09-27 09:50:56.420394637 +0200 @@ -3377,8 +3377,8 @@ static int checkHTTPpassword(char *theRe i = decodeString(thePw, (unsigned char*)outBuffer, sizeof(outBuffer)); - if(i == 0) { user = , thePw[0] = '\0'; + if(i == 0) { outBuffer[0] = '\0'; } else { outBuffer[i] = '\0';
Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service
On Sun, Sep 27, 2009 at 11:35:46AM +0200, Ola Lundqvist wrote: Hi Giuseppe Thanks a lot for the report. The attached patch should solve this problem. To the security team. Do you want me to upload this to stable in addition to unstable? This doesn't warrant a DSA, but you could propose it for a point update. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service
Hi Mirtz On Sun, Sep 27, 2009 at 12:40:54PM +0200, Moritz Muehlenhoff wrote: On Sun, Sep 27, 2009 at 11:35:46AM +0200, Ola Lundqvist wrote: Hi Giuseppe Thanks a lot for the report. The attached patch should solve this problem. To the security team. Do you want me to upload this to stable in addition to unstable? This doesn't warrant a DSA, but you could propose it for a point update. Sure. In that case where do I upload it. To lenny-proposed-updates? Best regards, // Ola Cheers, Moritz -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comAnnebergsslingan 37\ | o...@debian.org 654 65 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service
Package: ntop Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for ntop. CVE-2009-2732[0]: | The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier | allows remote attackers to cause a denial of service (NULL pointer | dereference and daemon crash) via an Authorization HTTP header that | lacks a : (colon) character in the base64-decoded string. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2732 http://security-tracker.debian.net/tracker/CVE-2009-2732 Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkqSNzUACgkQNxpp46476aqaRwCePEnRlTpotXKtcCnxSRnqbSoX imEAnRKiKt/JAzk57KKzHsAMFEo/v66K =DhPT -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org