Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829
On Mon, Nov 24, 2008 at 5:06 PM, William Palfreman <[EMAIL PROTECTED]>wrote: > 2008/11/24 Volker <[EMAIL PROTECTED]>: > > On 11/24/08 19:55, William Palfreman wrote: > >> 2008/11/23 <[EMAIL PROTECTED]>: > >>> Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix > CVE-2008-4829 > >> > >> Can we not have these on the freebsd-secuirty list please? I > >> subscribe to freebsd-security to get security alerts, not to get > >> emails every time a port is changed. > >> > >> William Palfreman > > > > You should better head over to security-advisories@ if you're only > > interested in SA's. Claiming about reading security related issues on a > > security mailing list sounds like fun. > > > > I appreciate Eygenes' work. > > That's nice. I am sure it is very useful on the ports mailinglist > where it belongs. I also greatly enjoy the frequent interesting and > informed discussion on the security mailinglist - of which Eirik > Overby's thread recently about syn+fin is one example. But all these > ports announcements, raw patches, garbled html etc. I could really do > without. It is why there are separate lists. > ___ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > you do know that the email your complaining about is about a security update correct? if you don't like it then you really need to use security-advisories instead of being subscribed to this one ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829
On 11/24/08 19:55, William Palfreman wrote: > 2008/11/23 <[EMAIL PROTECTED]>: >> Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix >> CVE-2008-4829 > > Can we not have these on the freebsd-secuirty list please? I > subscribe to freebsd-security to get security alerts, not to get > emails every time a port is changed. > > William Palfreman You should better head over to security-advisories@ if you're only interested in SA's. Claiming about reading security related issues on a security mailing list sounds like fun. I appreciate Eygenes' work. Volker ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829
2008/11/24 Volker <[EMAIL PROTECTED]>: > On 11/24/08 19:55, William Palfreman wrote: >> 2008/11/23 <[EMAIL PROTECTED]>: >>> Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix >>> CVE-2008-4829 >> >> Can we not have these on the freebsd-secuirty list please? I >> subscribe to freebsd-security to get security alerts, not to get >> emails every time a port is changed. >> >> William Palfreman > > You should better head over to security-advisories@ if you're only > interested in SA's. Claiming about reading security related issues on a > security mailing list sounds like fun. > > I appreciate Eygenes' work. That's nice. I am sure it is very useful on the ports mailinglist where it belongs. I also greatly enjoy the frequent interesting and informed discussion on the security mailinglist - of which Eirik Overby's thread recently about syn+fin is one example. But all these ports announcements, raw patches, garbled html etc. I could really do without. It is why there are separate lists. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829
2008/11/23 <[EMAIL PROTECTED]>: > Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix > CVE-2008-4829 Can we not have these on the freebsd-secuirty list please? I subscribe to freebsd-security to get security alerts, not to get emails every time a port is changed. William Palfreman ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829
Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 State-Changed-From-To: open->closed State-Changed-By: miwi State-Changed-When: Sun Nov 23 08:55:48 UTC 2008 State-Changed-Why: Committed. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=128999 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829
Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 Responsible-Changed-From-To: freebsd-ports-bugs->miwi Responsible-Changed-By: miwi Responsible-Changed-When: Thu Nov 20 05:31:49 UTC 2008 Responsible-Changed-Why: I'll take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=128999 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829
>Number: 128999 >Category: ports >Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix >CVE-2008-4829 >Confidential: no >Severity: serious >Priority: high >Responsible:freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 19 21:30:14 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release:FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Streamripper 1.64.0 is out and this release fixes security vulnerability discovered by Secunia. >How-To-Repeat: http://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/CHANGES?revision=1.196 http://secunia.com/secunia_research/2008-50/ >Fix: The following patch updates the port to 1.64.0. It works for me: MP3 streams are ripped perfectly. --- 1.63.5-to-1.64.0-fix-cve-2008-4829.diff begins here --- diff -urN ./Makefile ../streamripper/Makefile --- ./Makefile 2008-11-19 23:50:33.0 +0300 +++ ../streamripper/Makefile2008-11-19 23:57:00.0 +0300 @@ -6,7 +6,7 @@ # PORTNAME= streamripper -PORTVERSION= 1.63.5 +PORTVERSION= 1.64.0 CATEGORIES=audio MASTER_SITES= SF \ http://gd.tuwien.ac.at/hci/cdk/:cdk diff -urN ./distinfo ../streamripper/distinfo --- ./distinfo 2008-11-19 23:50:33.0 +0300 +++ ../streamripper/distinfo2008-11-19 23:57:19.0 +0300 @@ -1,6 +1,6 @@ -MD5 (streamripper-1.63.5.tar.gz) = 73a63383dca00615c3328cf51bf2fa56 -SHA256 (streamripper-1.63.5.tar.gz) = 877aed28880b904383c4e761c0ecb1e046dbe45126e648110c0292991d1e5b93 -SIZE (streamripper-1.63.5.tar.gz) = 1302177 +MD5 (streamripper-1.64.0.tar.gz) = f8754813ddc2bc96c4c3440e25aca8b6 +SHA256 (streamripper-1.64.0.tar.gz) = a53f50d26de3610e59a07eaf81cc9da348aaf7b35bc4a302f2e5f6defb1297ae +SIZE (streamripper-1.64.0.tar.gz) = 839535 MD5 (cdk-5.0-20060507.tgz) = 0ec2460a4484d5f5595d8faca61bc9c5 SHA256 (cdk-5.0-20060507.tgz) = e823bfcce52916727cb23d6d549a64347c45c364b3c628d6a352c407fce8f4b4 SIZE (cdk-5.0-20060507.tgz) = 396514 --- 1.63.5-to-1.64.0-fix-cve-2008-4829.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- streamripper -- user-assisted arbitrary code execution streamripper 1.64.0 http://www.w3.org/1999/xhtml";> Secunia Research has discovered some vulnerabilities in Streamripper, which can be exploited by malicious people to compromise a user's system: http://secunia.com/secunia_research/2008-50/";> A boundary error exists within http_parse_sc_header() in lib/http.c when parsing an overly long HTTP header starting with “Zwitterion v”. A boundary error exists within http_get_pls() in lib/http.c when parsing a specially crafted pls playlist containing an overly long entry. A boundary error exists within http_get_m3u() in lib/http.c when parsing a specially crafted m3u playlist containing an overly long “File” entry. Successful exploitation allows execution of arbitrary code, but requires that a user is tricked into connecting to a malicious server. CVE-2008-4829 http://secunia.com/secunia_research/2008-50/ http://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/CHANGES?revision=1.196 2008-11-19 --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"