Re: Leafnode for sarge

To: debian-release@lists.debian.org
Subject: Re: Leafnode for sarge
From: Mark Brown <broonie@sirena.org.uk>
Date: Wed, 4 May 2005 23:44:24 +0100
Message-id: <[🔎] 20050504224424.GB8158@sirena.org.uk>
Mail-followup-to: debian-release@lists.debian.org
In-reply-to: <[🔎] 20050504200034.GA6667@informatik.uni-bremen.de>
References: <20050503194628.GA6007@mauritius.dodds.net> <[🔎] 20050503201437.GA15889@projectcolo.org.uk> <[🔎] 20050504094456.GA11012@mauritius.dodds.net> <[🔎] 20050504200034.GA6667@informatik.uni-bremen.de>

On Wed, May 04, 2005 at 10:00:34PM +0200, Moritz Muehlenhoff wrote:
> In gmane.linux.debian.devel.release, you wrote:
> > leafnode 1.11.1.rel-1 is already in testing. :)

> But it might need another update; 1.11.2 fixes a DoS vulnerability
> in fetchnews with relatively minor impact.

That has now been uploaded for unstable.  Quoting the upstream
changelog, the bugs in question are:

| - Fix fetchnews segfault when connection to server dies while fetchnews is
|   reading an article body (use-after-free bug).  Regression introduced into
|   leafnode v1.9.52.  Denial of service possible, see leafnode-SA-2005-01.txt.
| - Fix fetchnews segfault when connection to server dies while fetchnews is
|   reading an article header.  Regression in security fix of leafnode v1.9.48.
|   Denial of service possible, see leafnode-SA-2005-01.txt

Unfortunately, the 1.11.2 release also includes some other fixes that
aren't security related, though they can produce a noticable improvement
in the bandwidth usage in some circumstances:

| - fetchnews will no longer re-fetch the active file for a server if it
|   has been completely received even if fetching articles from this server
|   encounters a problem.  Long-standing bug.  Debian bug #70052.
| - fetchnews will now properly mark the active for complete re-fetch if it says
|   so.  Previously, it forgot the mark in some circumstances.
| - A problem fetching the active file or descriptions for a newly added server
|   will now mark the active for re-fetch even if articles have successfully
|   been retrieved from the same server.

(there is also a trivial update to the German man page, plus some fixes
for use after frees that didn't get noted in the release notes.)

I consider this second set of fixes useful and desirable but it's hard
to make a case for them being critical for sarge.  Unless the release
team is willing to make an exception due to the security issues I will
try to extract the appropriate fixes and produce a backport for sarge
over the weekend (unless of course that wouldn't be accepted either).

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

Reply to:

References:
- Leafnode for sarge
  - From: Mark Brown <broonie@sirena.org.uk>
- Re: Leafnode for sarge
  - From: Steve Langasek <vorlon@debian.org>
- Re: Leafnode for sarge
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: anon-proxy serious bugfix to be uploaded to sarge
Next by Date: Re: Please allow qtstalker 0.26-5 into Sarge
Previous by thread: Re: Leafnode for sarge
Next by thread: Re: Leafnode for sarge
Index(es):
- Date
- Thread