Your message dated Fri, 21 Nov 2008 01:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#506179: fixed in no-ip 2.1.7-11
has caused the Debian Bug report #506179,
regarding no-ip: remote code execution vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
506179: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506179
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Source: no-ip
Severity: grave
Version: 2.1.1-4
Tags: security
Hi,
An exploit[1] has been published for the no-ip DUC.
At the moment there's no much other information than the one provided in the
exploit, which I can summarise as:
The exploit relies on DNS poisoning or man in the middle attacks to fake the
server's response.
Once this has been done the exploit waits for an IP check, to then prepare the
shellcode to send which is requires the knowledge of the memory offset of the
buffer which must of course be static and determined for each build.
After the client receives a faked IP to force a update the exploit delivers
the shellcode, which is executed because of a buffer overflow when processing
the server's response.
If you fix the vulnerability please also make sure to include the CVE id when
one is assigned in the changelog entry.
[1]http://www.milw0rm.com/exploits/7151
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: no-ip
Source-Version: 2.1.7-11
We believe that the bug you reported is fixed in the latest version of
no-ip, which is due to be installed in the Debian FTP archive:
no-ip_2.1.7-11.diff.gz
to pool/main/n/no-ip/no-ip_2.1.7-11.diff.gz
no-ip_2.1.7-11.dsc
to pool/main/n/no-ip/no-ip_2.1.7-11.dsc
noip2_2.1.7-11_i386.deb
to pool/main/n/no-ip/noip2_2.1.7-11_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andres Mejia <[EMAIL PROTECTED]> (supplier of updated no-ip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 20 Nov 2008 19:25:31 -0500
Source: no-ip
Binary: noip2
Architecture: source i386
Version: 2.1.7-11
Distribution: unstable
Urgency: high
Maintainer: Otavio Salvador <[EMAIL PROTECTED]>
Changed-By: Andres Mejia <[EMAIL PROTECTED]>
Description:
noip2 - client for dynamic DNS service
Closes: 506179
Changes:
no-ip (2.1.7-11) unstable; urgency=high
.
[ Avi Rozen ]
* Fixed grave bug: remote code execution vulnerability. (Closes: #506179)
Checksums-Sha1:
e5638fbd316614435c4292668b44a5d9faa0e479 1203 no-ip_2.1.7-11.dsc
850c0be4085e780227d3fb9058b5f4791b9ffd95 20579 no-ip_2.1.7-11.diff.gz
cd1cab0704ade07afd75688d7170f9cb300f0156 74284 noip2_2.1.7-11_i386.deb
Checksums-Sha256:
a9495f5b9d10421b0f554eee4396774cdfa79eaafdffd15d53c4ab39cb2d4cb3 1203
no-ip_2.1.7-11.dsc
1714618c7a096e83b43df6d6f126705fa411a93b6adf5e2926445b3c8e712eb1 20579
no-ip_2.1.7-11.diff.gz
0150ca40510dea4cf6a5a484ef51774d040da098f857ad5554360d1ac5f8bf7b 74284
noip2_2.1.7-11_i386.deb
Files:
2ec242cee97ce90ce47d96ac13d99208 1203 net optional no-ip_2.1.7-11.dsc
6a276b86a434503feaaed058d4c3afd9 20579 net optional no-ip_2.1.7-11.diff.gz
517fb1245e07e3acb120ba96d148d46b 74284 net optional noip2_2.1.7-11_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkmEa0ACgkQgsFbAuXxMZa0uwCfV5SMR2nhArMLjNEgsYX48K4u
2moAoKL+z+kI8SsM8vi0XbD3oA27iijI
=OBs0
-----END PGP SIGNATURE-----
--- End Message ---
