Your message dated Sun, 09 Sep 2007 19:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#441393: fixed in librpcsecgss 0.14-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: librpcsecgss
Version: 0.14-3
Severity: grave
Tags: security
Hi,
a CVE has been issued against this package:
CVE-2007-3999:
Stack-based buffer overflow in the svcauth_gss_validate function in
lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5)
1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and
other applications that use krb5, allows remote attackers to cause a denial of
service (daemon crash) and probably execute arbitrary code via a long string in
an RPC message.
CVE-2007-4743
The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC
library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos
administration daemon (kadmind) and other applications that use krb5, does not
correctly check the buffer length in some environments and architectures, which
might allow remote attackers to conduct a buffer overflow attack.
Please include the CVE id (CVE-2007-4743) in the changelog if you fix this bug.
I have an NMU ready for this bug, please ping me if I have your ok to upload,
otherwise I will wait 2 days on reaction.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpEeeysHPWnV.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: librpcsecgss
Source-Version: 0.14-4
We believe that the bug you reported is fixed in the latest version of
librpcsecgss, which is due to be installed in the Debian FTP archive:
librpcsecgss-dev_0.14-4_i386.deb
to pool/main/libr/librpcsecgss/librpcsecgss-dev_0.14-4_i386.deb
librpcsecgss3_0.14-4_i386.deb
to pool/main/libr/librpcsecgss/librpcsecgss3_0.14-4_i386.deb
librpcsecgss_0.14-4.diff.gz
to pool/main/libr/librpcsecgss/librpcsecgss_0.14-4.diff.gz
librpcsecgss_0.14-4.dsc
to pool/main/libr/librpcsecgss/librpcsecgss_0.14-4.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <[EMAIL PROTECTED]> (supplier of updated librpcsecgss package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 9 Sep 2007 21:03:00 +0200
Source: librpcsecgss
Binary: librpcsecgss-dev librpcsecgss3
Architecture: source i386
Version: 0.14-4
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
Changed-By: Daniel Baumann <[EMAIL PROTECTED]>
Description:
librpcsecgss-dev - header files and docs for librpcsecgss
librpcsecgss3 - allows secure rpc communication using the rpcsec_gss protocol
Closes: 441393
Changes:
librpcsecgss (0.14-4) unstable; urgency=high
.
[ Nico Golde ]
* Fixed DoS and possible arbitary code execution due to a
stack-based buffer overflow (CVE-2007-4743) (Closes: #441393).
Files:
99b874c51cdb3c9e87acaf6c33f4799a 736 libs optional librpcsecgss_0.14-4.dsc
fb10c38b9eb3363643820afeee49e0e9 1838 libs optional librpcsecgss_0.14-4.diff.gz
830388c9615bc4221a6cf3b84eb8bd89 41396 libdevel optional
librpcsecgss-dev_0.14-4_i386.deb
a178ac93862b2da4c0c89b700dd1bb3a 31308 libs standard
librpcsecgss3_0.14-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG5EP4+C5cwEsrK54RAid7AJ9UgdL5GKSqENLQAcr2nVn4kG20vgCgtxRA
dfuAZO6W8YDOoccdVOts990=
=yheK
-----END PGP SIGNATURE-----
--- End Message ---
