Bug#572563: marked as done (CVE-2009-4652: Denial of service through MOTD)

Sun, 07 Mar 2010 14:52:27 -0800 

Your message dated Sun, 7 Mar 2010 23:46:57 +0100
with message-id <20100307224657.ga2...@galadriel.inutil.org>
and subject line Re: [PKG-IRC-Maintainers] Bug#572563: CVE-2009-4652: Denial of 
service through MOTD
has caused the Debian Bug report #572563,
regarding CVE-2009-4652: Denial of service through MOTD
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
572563: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572563
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ngircd
Severity: grave
Tags: security

Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4652
for patches.

Since this package is apparently both unmaintained, unused and lagging
behind the current upstream, the cleanest solution might be a removal
from the archive.

Cheers,
         Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages ngircd depends on:
ii  libc6                   2.10.2-5         Embedded GNU C Library: Shared lib
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

ngircd recommends no packages.

ngircd suggests no packages.

--- End Message ---
--- Begin Message --- 
On Thu, Mar 04, 2010 at 11:47:08PM +0100, Moritz Muehlenhoff wrote:
> On Thu, Mar 04, 2010 at 11:00:30PM +0100, Christoph Biedl wrote:
> > Moritz Muehlenhoff wrote...
> > 
> > > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4652
> > > for patches.
> > 
> > According to that page this affects only versions 13 and 14, and only
> > if TLS is enabled.
> 
> The CVE writeups are usually written without in-depth investigation,
> their information on affected versions shouldn't be trusted without
> checking the code. I didn't look into details, I just file bugs for a
> bunch of new security issues.
> 
> > Currently there's 0.12.1 in Debian, and without TLS support.  You
> > might want to close that bug report.
> 
> I'll leave that to the maintainers/adopters.

I've checked the code and Lenny/Squeeze are indeed not affected, closing.

Cheers,
        Moritz

--- End Message ---

Reply via email to