On 20 Apr 2016 10:01 pm, "Sebastian Andrzej Siewior" <sebast...@breakpoint.cc> wrote: > > On 2015-03-15 06:42:08 [+0100], Salvatore Bonaccorso wrote: > > On Tue, Feb 17, 2015 at 10:07:06AM +0000, Patrick Coleman wrote: > > > * Remote null pointer dereference > > > A remote user can cause a null pointer dereference by sending a > > > malformed Authorization: header. > > > http://patrick.ld.net.au/libcsoap/nanohttp-nullp-1.patch > > > > For this issue CVE-2015-2297 was assigned. > > What do we do here? That bug is open for slightly over a year with a > security tag and zero activity. We had two patches here which do now > 404. popcon goes down and it could have something todo with not beeing > part of stable. The current binary depends on libssl1.0.0 which has no > source, a binNMU would fix it (just tried, that is why I stumbled over > it). > So we fix this? Do we remove it? In case we want to fix, has someone a > copy of the two patches?
I should be able to dig out the patches for the two issues I found - let me look tomorrow. But (iirc) the code was very old and unmaintained, and there are likely other significant problems. -Patrick
