Debian Bug report logs -
#599708
CVE-2010-2812 and CVE-2010-2934
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 10 Oct 2010 11:21:05 UTC
Severity: grave
Tags: security
Fixed in version 0.092-2
Done: Moritz Muehlenhoff <jmm@inutil.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>
:
Bug#599708
; Package znc
.
(Sun, 10 Oct 2010 11:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>
.
(Sun, 10 Oct 2010 11:21:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: znc
Severity: grave
Tags: security
CVE-2010-2812 and CVE-2010-2934 are currently only
fixed in experimental, but not sid and Squeeze. The
Red Hat bug contains references to the patches:
https://bugzilla.redhat.com/show_bug.cgi?id=622600
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages znc depends on:
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.4.4-9 GCC support library
ii libperl5.10 5.10.1-14 shared Perl library
ii libssl0.9.8 0.9.8o-1 SSL shared libraries
ii libstdc++6 4.4.4-9 The GNU Standard C++ Library v3
znc recommends no packages.
znc suggests no packages.
Information forwarded
to debian-bugs-dist@lists.debian.org, Patrick Matthäi <pmatthaei@debian.org>
:
Bug#599708
; Package znc
.
(Sun, 10 Oct 2010 11:36:07 GMT) (full text, mbox, link).
Acknowledgement sent
to pmatthaei@debian.org
:
Extra info received and forwarded to list. Copy sent to Patrick Matthäi <pmatthaei@debian.org>
.
(Sun, 10 Oct 2010 11:36:07 GMT) (full text, mbox, link).
Message #10 received at 599708@bugs.debian.org (full text, mbox, reply):
Hm?
This is patched since 0.092-2 with 01-out-of-range-error.diff
At the time where I patched it, there was no CVE ID available
Am 10.10.2010 13:19, schrieb Moritz Muehlenhoff:
> Package: znc
> Severity: grave
> Tags: security
>
> CVE-2010-2812 and CVE-2010-2934 are currently only
> fixed in experimental, but not sid and Squeeze. The
> Red Hat bug contains references to the patches:
> https://bugzilla.redhat.com/show_bug.cgi?id=622600
>
> Cheers,
> Moritz
>
> -- System Information:
> Debian Release: squeeze/sid
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
> Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages znc depends on:
> ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
> ii libgcc1 1:4.4.4-9 GCC support library
> ii libperl5.10 5.10.1-14 shared Perl library
> ii libssl0.9.8 0.9.8o-1 SSL shared libraries
> ii libstdc++6 4.4.4-9 The GNU Standard C++ Library v3
>
> znc recommends no packages.
>
> znc suggests no packages.
>
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Patrick Matthäi <pmatthaei@debian.org>
:
Bug#599708
; Package znc
.
(Sun, 10 Oct 2010 12:00:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Uli Schlachter <psychon@znc.in>
:
Extra info received and forwarded to list. Copy sent to Patrick Matthäi <pmatthaei@debian.org>
.
(Sun, 10 Oct 2010 12:00:10 GMT) (full text, mbox, link).
Message #15 received at 599708@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Am 10.10.2010 13:19, Moritz Muehlenhoff wrote:
> Package: znc
> Severity: grave
> Tags: security
>
> CVE-2010-2812 and CVE-2010-2934 are currently only
> fixed in experimental, but not sid and Squeeze. The
> Red Hat bug contains references to the patches:
> https://bugzilla.redhat.com/show_bug.cgi?id=622600
>
> Cheers,
> Moritz
- From a quick look at the source package, the included patch
"01-out-of-range-error.diff" seems to fix exactly this.[1]
According to the patch description this would be a dupe of bug #592064.
Cheers,
Uli
[1]
http://patch-tracker.debian.org/patch/series/view/znc/0.092-3/01-out-of-range-error.diff
- --
- - Buck, when, exactly, did you lose your mind?
- - Three months ago. I woke up one morning married to a pineapple.
An ugly pineapple... But I loved her
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJMsae+AAoJECLkKOvLj8sGqWwH/A49dSZCnA9VNlSUap/9QVq6
ADSSicKT6qc6mmZHW2rixzI5FLLIscaLOA6BqtE+S8jyyiLsJD1nfeO45sbxoRTX
N0AeB6pJgL5kS65VgttGbynwU67pUYy27O5ipoHYeMUNQwnl64Z1hfuo0JSnH7gD
2VrgPiIxVFBAfP6VQk2ZxDNKg+6Ehrhpfpajav6rDqiuPlQA+KmxovHxNRzp2eXG
iYT3QdJfN3A5WHUOsPh4+flB4+cNd9VtDMfkACK5zNZwSV+OltGy0605txl6pBMm
T+cXlPM+Z18StQJsdhSpwABrINlflQLBGX0NIAhSFljwtXLnLv7rhRr9JlfZb0c=
=zCX6
-----END PGP SIGNATURE-----
Reply sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
You have taken responsibility.
(Sun, 10 Oct 2010 17:12:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Sun, 10 Oct 2010 17:12:03 GMT) (full text, mbox, link).
Message #20 received at 599708-done@bugs.debian.org (full text, mbox, reply):
Version: 0.092-2
On Sun, Oct 10, 2010 at 01:47:21PM +0200, Uli Schlachter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Am 10.10.2010 13:19, Moritz Muehlenhoff wrote:
> > Package: znc
> > Severity: grave
> > Tags: security
> >
> > CVE-2010-2812 and CVE-2010-2934 are currently only
> > fixed in experimental, but not sid and Squeeze. The
> > Red Hat bug contains references to the patches:
> > https://bugzilla.redhat.com/show_bug.cgi?id=622600
> >
> > Cheers,
> > Moritz
>
> - From a quick look at the source package, the included patch
> "01-out-of-range-error.diff" seems to fix exactly this.[1]
> According to the patch description this would be a dupe of bug #592064.
Ok, marking as fixed in the Security Tracker.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 08 Nov 2010 07:30:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:03:50 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.