Your message dated Wed, 26 Nov 2008 16:27:04 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#506942: Buffer overflow exploit in versions until 2.1.8
has caused the Debian Bug report #506942,
regarding Buffer overflow exploit in versions until 2.1.8
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
506942: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506942
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: no-ip
Version: 2.1.1-4
Severity: critical
Tags: security, fixed-upstream
I just received the attached message from No-IP.com. This affects
stable and testing.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
--- Begin Message ---
No-IP has determined that the following advisory is applicable to
one or more of the systems you have registered.
Security Advisory - 2008-11-22
------------------------------------------------------------------------------
Summary:
Important: No-IP Linux DUC (Dynamic Update Client)
An updated version of the No-IP Linux Dynamic Update Client that fixes
a security issue is now available.
This update has been rated as having important security impact.
Description:
Versions 2.1.1- > 2.1.8 are prone to a stack-based buffer-overflow due to
a boundary error when processing HTTP responses received from the update
server. This can be exploited and cause a stack-based buffer overflow when
performing an update.
A malicious user could exploit this by faking the No-IP update server
via DNS poisoning or a man in the middle attack. This can cause a denial of
service (client crash) or
potentially execute arbitrary code on the computer the client is running on.
Users running versions 2.1.8 and older are encouraged to upgrade to the most
recent version, 2.1.9
at http://www.no-ip.com/downloads?page=linux&av=1
Regards,
The No-IP Team
Note: This email was sent from an unmonitored account. If you have any
questions or comments please open a trouble ticket at
http://www.no-ip.com/ticket
--- End Message ---
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
--- End Message ---
--- Begin Message ---
severity 506942 grave
merge 506942 506179
thanks
Version: 2.1.7-11
Already fixed in testing/unstable.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpmdHeoxzmsi.pgp
Description: PGP signature
--- End Message ---
