On Fri, 15 May 2009 14:18:26 +0200, Nico Golde wrote: > Package: eggdrop > Severity: grave > Tags: security > Justification: user security hole > > Hi, > turns out my patch has a bug in it which opens this up for a > buffer overflow again in case strlen(ctcpbuf) returns 0: > http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/68341 > > > Too bad noone noticed that before. > I am going to upload a 0-day NMU now to fix this. > > debdiff available on: > http://people.debian.org/~nion/nmu-diff/eggdrop-1.6.19-1.1_1.6.19-1.2.patch > > (includes the wrong bug number to close as I tried to reopen it fist but it > failed because it was already archived). > > Cheers > Nico
does this mean that DSA-1448 needs to be reissued? and is that in the works? should the etch fixed version get removed from the DSA list to reindicate that etch is vulnerable? mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
