Steve Langasek wrote: > > In that case, could fprobe be turned into a dummy package that depends > on fprobe-ng, or are there incompatibilties that make an automatic > upgrade inappropriate? >
I don't see it being a problem. The old fprobe didn't have an init script or configuration file when i adopted it. fprobe-ng configures itself on installation and creates a file in /etc/default. On an upgrade fprobe would be uninstalled and the user prompted with the initial questions for fprobe-ng. There is a theoretical vuln in fprobe-ng that was reported by Florian Weimer[1]. I sent an email to upstream about this, he said it's highly unlikely it could be used in DoS. "Hmm. I've fixed this issue in 1.1. Each time fprobe start it use random CRC16 polynomial and random special 'shuffle' table, thus DoS attack is something purely hypothetical: intruder must know all random parameters (total 258 bytes- ~1077 variants) to success the DoS." However i asked him if he is still willing to fix this anyway by using Florian Weimer's suggestions. I am waiting for his reply. Thanks, Radu [1] #322699 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
