Debian Bug report logs -
#495214
CVE-2008-3651: memory leak
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Fri, 15 Aug 2008 13:00:02 UTC
Severity: grave
Tags: security
Found in versions ipsec-tools/1:0.7-2.1, ipsec-tools/1:0.6.6-3.1etch4
Fixed in version 1:0.7.1-1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Ganesan Rajagopal <rganesan@debian.org>:
Bug#495214; Package ipsec-tools.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Ganesan Rajagopal <rganesan@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ipsec-tools
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ipsec-tools.
CVE-2008-3651[0]:
| Memory leak in racoon/proposal.c in the racoon daemon in ipsec-tools
| before 0.7.1 allows remote authenticated users to cause a denial of
| service (memory consumption) via invalid proposals.
There is an upstream discussion going on here[1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3651
http://security-tracker.debian.net/tracker/CVE-2008-3651
[1] http://sourceforge.net/mailarchive/forum.php?thread_name=48a0c7a0.qPeWZAE0PY8bDDq%2B%25olel%40ans.pl&forum_name=ipsec-tools-devel
Bug marked as found in version 1:0.7-2.1.
Request was from tv@beamnet.de (Thomas Viehmann)
to control@bugs.debian.org.
(Fri, 29 Aug 2008 07:48:17 GMT) (full text, mbox, link).
Bug marked as fixed in version 1:0.7.1-1.
Request was from tv@beamnet.de (Thomas Viehmann)
to control@bugs.debian.org.
(Fri, 29 Aug 2008 07:48:18 GMT) (full text, mbox, link).
Bug marked as found in version 1:0.6.6-3.1etch4.
Request was from tv@beamnet.de (Thomas Viehmann)
to control@bugs.debian.org.
(Fri, 29 Aug 2008 08:06:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Ganesan Rajagopal <rganesan@debian.org>:
Bug#495214; Package ipsec-tools.
(full text, mbox, link).
Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to Ganesan Rajagopal <rganesan@debian.org>.
(full text, mbox, link).
Message #16 received at 495214@bugs.debian.org (full text, mbox, reply):
Hi,
apparently, #495214: CVE-2008-3651: memory leak is fixed in unstable by
virtue of the new upstream release without the maintainer knowing /
noting it in the changelog.
The new upstream release has a largish diff to the version in testing,
does the release team want the version from unstable or a backported fix?
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
Information forwarded to debian-bugs-dist@lists.debian.org, Ganesan Rajagopal <rganesan@debian.org>:
Bug#495214; Package ipsec-tools.
(full text, mbox, link).
Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Ganesan Rajagopal <rganesan@debian.org>.
(full text, mbox, link).
Message #21 received at 495214@bugs.debian.org (full text, mbox, reply):
Thomas Viehmann wrote:
> Hi,
>
> apparently, #495214: CVE-2008-3651: memory leak is fixed in unstable by
> virtue of the new upstream release without the maintainer knowing /
> noting it in the changelog.
>
> The new upstream release has a largish diff to the version in testing,
> does the release team want the version from unstable or a backported fix?
unblocked
Cheers
Luk
Information forwarded to debian-bugs-dist@lists.debian.org, Ganesan Rajagopal <rganesan@debian.org>:
Bug#495214; Package ipsec-tools.
(full text, mbox, link).
Acknowledgement sent to Ganesan Rajagopal <rganesan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ganesan Rajagopal <rganesan@debian.org>.
(full text, mbox, link).
Message #26 received at 495214@bugs.debian.org (full text, mbox, reply):
On Sat, Aug 30, 2008 at 01:47:41PM +0200, Thomas Viehmann wrote:
> Hi,
>
> apparently, #495214: CVE-2008-3651: memory leak is fixed in unstable by
> virtue of the new upstream release without the maintainer knowing /
> noting it in the changelog.
I wasn't aware of this CVE when I uploaded the version instable. I
missed the freeze by just a few hours :-(.
> The new upstream release has a largish diff to the version in testing,
> does the release team want the version from unstable or a backported fix?
Though the diff is large, it's a bug fix release which I uploaded at the
last minute trying to beat the freeze (and missed it!). I'd request the
unstable version to move into testing. I see that it's been already done
- thanks :-).
Ganesan
--
Ganesan Rajagopal
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Fri, 03 Oct 2008 13:03:04 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Fri, 03 Oct 2008 13:03:04 GMT) (full text, mbox, link).
Message #31 received at 495214-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1:0.7.1-1
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Feb 2009 07:47:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:17:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon