subject:"Bug#543312\: CVE\-2009\-2732\: Basic Authentication Null Pointer Denial of Service"

Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

2009-09-29 Thread Giuseppe Iuculano

Ola Lundqvist ha scritto:
 Sure. In that case where do I upload it. To lenny-proposed-updates?

stable-proposed-updates for lenny and oldstable-proposed-updates for etch.[1]
Please contact the stable release team before you upload.

[1]http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

Cheers,
Giuseppe.



signature.asc
Description: OpenPGP digital signature

Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

2009-09-27 Thread Ola Lundqvist

Hi Giuseppe

Thanks a lot for the report. The attached patch should solve
this problem.

To the security team. Do you want me to upload this to stable in
addition to unstable?

Please also review if you think this solution is good enough?

// Ola



On Mon, Aug 24, 2009 at 08:46:17AM +0200, Giuseppe Iuculano wrote:
 Package: ntop
 Severity: serious
 Tags: security
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 
 Hi,
 the following CVE (Common Vulnerabilities  Exposures) id was
 published for ntop.
 
 CVE-2009-2732[0]:
 | The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier
 | allows remote attackers to cause a denial of service (NULL pointer
 | dereference and daemon crash) via an Authorization HTTP header that
 | lacks a : (colon) character in the base64-decoded string.
 
 If you fix the vulnerability please also make sure to include the
 CVE id in your changelog entry.
 
 For further information see:
 
 [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2732
 http://security-tracker.debian.net/tracker/CVE-2009-2732
 
 Cheers,
 Giuseppe.
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.9 (GNU/Linux)
 
 iEYEARECAAYFAkqSNzUACgkQNxpp46476aqaRwCePEnRlTpotXKtcCnxSRnqbSoX
 imEAnRKiKt/JAzk57KKzHsAMFEo/v66K
 =DhPT
 -END PGP SIGNATURE-
 
 
 

-- 
 - Ola Lundqvist ---
/  o...@debian.org Annebergsslingan 37  \
|  o...@inguza.com  654 65 KARLSTAD  |
|  http://inguza.com/  +46 (0)70-332 1551   |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---
--- http.c~	2007-06-09 16:33:45.0 +0200
+++ http.c	2009-09-27 09:50:56.420394637 +0200
@@ -3377,8 +3377,8 @@ static int checkHTTPpassword(char *theRe
 
   i = decodeString(thePw, (unsigned char*)outBuffer, sizeof(outBuffer));
 
-  if(i == 0) {
 user = , thePw[0] = '\0';
+  if(i == 0) {
 outBuffer[0] = '\0';
   } else {
 outBuffer[i] = '\0';

Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

2009-09-27 Thread Moritz Muehlenhoff

On Sun, Sep 27, 2009 at 11:35:46AM +0200, Ola Lundqvist wrote:
 Hi Giuseppe
 
 Thanks a lot for the report. The attached patch should solve
 this problem.
 
 To the security team. Do you want me to upload this to stable in
 addition to unstable?

This doesn't warrant a DSA, but you could propose it for a point
update.

Cheers,
Moritz



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

2009-09-27 Thread Ola Lundqvist

Hi Mirtz

On Sun, Sep 27, 2009 at 12:40:54PM +0200, Moritz Muehlenhoff wrote:
 On Sun, Sep 27, 2009 at 11:35:46AM +0200, Ola Lundqvist wrote:
  Hi Giuseppe
  
  Thanks a lot for the report. The attached patch should solve
  this problem.
  
  To the security team. Do you want me to upload this to stable in
  addition to unstable?
 
 This doesn't warrant a DSA, but you could propose it for a point
 update.

Sure. In that case where do I upload it. To lenny-proposed-updates?

Best regards,

// Ola

 Cheers,
 Moritz
 

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comAnnebergsslingan 37\
|  o...@debian.org   654 65 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

2009-08-24 Thread Giuseppe Iuculano

Package: ntop
Severity: serious
Tags: security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities  Exposures) id was
published for ntop.

CVE-2009-2732[0]:
| The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier
| allows remote attackers to cause a denial of service (NULL pointer
| dereference and daemon crash) via an Authorization HTTP header that
| lacks a : (colon) character in the base64-decoded string.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2732
http://security-tracker.debian.net/tracker/CVE-2009-2732

Cheers,
Giuseppe.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqSNzUACgkQNxpp46476aqaRwCePEnRlTpotXKtcCnxSRnqbSoX
imEAnRKiKt/JAzk57KKzHsAMFEo/v66K
=DhPT
-END PGP SIGNATURE-



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

5 matches

Site Navigation

Mail list logo

Footer information