Re: Bug#614785: Found too in oldstable/lenny?
Hi everybody, Am Mittwoch, den 23.02.2011, 16:13 +0100 schrieb Michael Biebl: A fixed package has been uploaded to unstable and stable-security (squeeze). First the good news: I can confirm that upgrading *all* avahi packages to 0.6.28-4 fixes the problem (only upgrading avahi-daemon does not!). Am Donnerstag, den 24.02.2011, 13:27 +0100 schrieb Salvatore Bonaccorso: I can reproduce this too on lenny, can someone confirm that? Up to date lenny system with avahi-daemon 0.6.23-3lenny2. Now the bad news: The Debian security tracker[1] says: [lenny] - avahi not-affected (Vulnerable code not present, introduced in 0.6.25) That's wrong: Looking at the source code reveals this: $ cat avahi-0.6.23/debian/patches/15_CVE-2010-2244.patch --- a/avahi-core/socket.c +++ avahi-0.6.23/avahi-core/socket.c @@ -652,6 +652,10 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv4( goto fail; } +/* corrupt packets have zero size */ +if (!ms) +goto fail; + p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE); io.iov_base = AVAHI_DNS_PACKET_DATA(p); @@ -805,6 +809,10 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv6( goto fail; } +/* corrupt packets have zero size */ +if (!ms) +goto fail; + p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE); io.iov_base = AVAHI_DNS_PACKET_DATA(p); $ So, the code which introduced this vulnerability (CVE-2011-1002[1]) was actually added[2] when fixing another vulnerability (CVE-2010-2244[3]). As a consequence, lenny IS indeed vulnerable and needs to be fixed too. Best regards and thank you very much for your work! Alexander Kurtz [1] http://security-tracker.debian.org/tracker/CVE-2011-1002 [2] http://packages.qa.debian.org/a/avahi/news/20100805T140231Z.html [3] http://security-tracker.debian.org/tracker/CVE-2010-2244 signature.asc Description: This is a digitally signed message part
Re: Bug#614785: Found too in oldstable/lenny?
Am 24.02.2011 15:52, schrieb Michael Biebl: Am 24.02.2011 15:48, schrieb Alexander Kurtz: So, the code which introduced this vulnerability (CVE-2011-1002[1]) was actually added[2] when fixing another vulnerability (CVE-2010-2244[3]). As a consequence, lenny IS indeed vulnerable and needs to be fixed too. Correct. I uploaded a fixed lenny package to oldstable-security 30min ago. But you are right, the security tracker should be updated -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: Bug#614785: Found too in oldstable/lenny?
Am 24.02.2011 15:48, schrieb Alexander Kurtz: So, the code which introduced this vulnerability (CVE-2011-1002[1]) was actually added[2] when fixing another vulnerability (CVE-2010-2244[3]). As a consequence, lenny IS indeed vulnerable and needs to be fixed too. Correct. I uploaded a fixed lenny package to oldstable-security 30min ago. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)
Package: avahi-daemon Version: 0.6.27-2 Tags: security Severity: critical Justification: Introduces possible denial-of-service scenario. Hi, when I scan my server from another machine on the network using nmap, I get this: [snip] It seems that mandriva already released an update for avahi : http://lists.grok.org.uk/pipermail/full-disclosure/2011-February/079525.html I guess you're facing the same issue. Regards -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/04cad33b021e7c91a76da3404fb76f3f.squir...@www.c0a8.org
Re: avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)
On Thu, 2011-02-24 at 15:31 +, Julien Reveret wrote: [snip] It seems that mandriva already released an update for avahi : http://lists.grok.org.uk/pipermail/full-disclosure/2011-February/079525.html I guess you're facing the same issue. 0.6.28-4 has been accepted to unstable yesterday and afaik the fix was uploaded to stable-security but not yet accepted. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Re: Bug#614785: Found too in oldstable/lenny?
Am Donnerstag, den 24.02.2011, 15:57 +0100 schrieb Michael Biebl: But you are right, the security tracker should be updated http://svn.debian.org/wsvn/secure-testing/?rev=16247 Best regards Alexander Kurtz signature.asc Description: This is a digitally signed message part
clamav htmlnorm DoS / TEMP-0000000-20B67B
Is clamav htmlnorm DoS / TEMP-000-20B67B[1] same as CVE-2007-4510[2]? 1: http://security-tracker.debian.org/tracker/TEMP-000-20B67B 2: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4510 Best regards, Henri Salo -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110225030719.ga7...@nashi.nerv.fi
