FS#34909 - tinc security vulnerability CVE-2013-1428
Attached to Project:
Community Packages
Opened by Andrew Cowie (afcowie) - Tuesday, 23 April 2013, 09:24 GMT
Last edited by Timothy Redaelli (tredaelli) - Tuesday, 23 April 2013, 16:32 GMT
Opened by Andrew Cowie (afcowie) - Tuesday, 23 April 2013, 09:24 GMT
Last edited by Timothy Redaelli (tredaelli) - Tuesday, 23 April 2013, 16:32 GMT
|
Details
CVE-2013-1428 resolved by tinc upstream release 1.0.21, with
maintainer advising immediate upgrade:
"Thanks to Martin Schobert for auditing tinc and reporting the vulnerability. He discovered a potential stack overflow that can be triggered by an authenticated peer. This can be used to cause a tinc daemon to crash, or in the worst case, it might be possible to execute code on another node as the user running tincd. This bug has been present in all versions of tinc. All users of tinc should upgrade to 1.0.21 or 1.1pre7 as soon as possible." http://www.tinc-vpn.org/pipermail/tinc/2013-April/003240.html Arch's current version is 1.0.20, so I expect it will be a straightforward bump. AfC P.S. There's no Category "security" for [community] packages. Perhaps there should be? |
This task depends upon
Closed by Timothy Redaelli (tredaelli)
Tuesday, 23 April 2013, 16:32 GMT
Reason for closing: Fixed
Additional comments about closing: tinc 1.0.21-1 released
Tuesday, 23 April 2013, 16:32 GMT
Reason for closing: Fixed
Additional comments about closing: tinc 1.0.21-1 released