Package: no-ip Version: 2.1.1-4 Severity: critical Tags: security, fixed-upstream
I just received the attached message from No-IP.com. This affects stable and testing. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems
--- Begin Message ---No-IP has determined that the following advisory is applicable to one or more of the systems you have registered. Security Advisory - 2008-11-22 ------------------------------------------------------------------------------ Summary: Important: No-IP Linux DUC (Dynamic Update Client) An updated version of the No-IP Linux Dynamic Update Client that fixes a security issue is now available. This update has been rated as having important security impact. Description: Versions 2.1.1- > 2.1.8 are prone to a stack-based buffer-overflow due to a boundary error when processing HTTP responses received from the update server. This can be exploited and cause a stack-based buffer overflow when performing an update. A malicious user could exploit this by faking the No-IP update server via DNS poisoning or a man in the middle attack. This can cause a denial of service (client crash) or potentially execute arbitrary code on the computer the client is running on. Users running versions 2.1.8 and older are encouraged to upgrade to the most recent version, 2.1.9 at http://www.no-ip.com/downloads?page=linux&av=1 Regards, The No-IP Team Note: This email was sent from an unmonitored account. If you have any questions or comments please open a trouble ticket at http://www.no-ip.com/ticket
--- End Message ---
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
