[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 01499) Re: [usagi-announce] 2002/05/27 snapshot
- To: usagi-users@xxxxxxxxxxxxxx
- Subject: (usagi-users 01499) Re: [usagi-announce] 2002/05/27 snapshot
- From: Elliott Mitchell <ehem@xxxxxxx>
- Date: Sat, 1 Jun 2002 15:53:53 -0700 (PDT)
- In-reply-to: <20020527175056G.yoshfuji@linux-ipv6.org> from "YOSHIFUJI Hideaki / [?iso-2022-jp?]" at "May 27, 2002 05:50:56 pm"
- Reply-to: usagi-users@xxxxxxxxxxxxxx
> From: YOSHIFUJI Hideaki / [?iso-2022-jp?]
> 2002/05/16 yoshfuji
> * kernel/linux2{2,4}/net/ipv6/icmp.c, src/iputils/ping6.c:
> [SECURITY] fixed buffer overrun while calculating node group address.
I don't know how severe this is, however this sounds like this needed to
be immediatly propagated back to the stable branch.
On the topic of security, since the Debian-potato packages involve
replacing libc, I presume the problem brought up in the advisory
DSA-103-1 (http://www.debian.org/security/2002/dsa-103) effects USAGI.
The USAGI libc is 2.1.3-13usagi20001101a; prior to the advisory Debian
was using version 2.1.3-13, whereas afterwords the version was 2.1.3-20;
given this I must suspect USAGI has not patched the libc and is therefore
still vulnerable to this rather serious problem.
It would also be nice for USAGI to provide signatures along with the
tarballs/packages to make it a lot more difficult to maliciously alter
them.
--
|\__/|\__/|\______ --=> 8-) EHM <=-- ______/|\__/|\__/|
\ | | | EHeM@xxxxxxxxxxxxxxx PGP 8881EF59 | | | /
\ \ | ______| -O #include <stddisclaimer.h> O- |______ | / /
\___\_|/82 04 A1 3C C7 B1 37 2A E3 6E 84 DA 97 4C 40 E6\|_/___/