![]() |
|
Date: Sun, 26 Aug 2012 22:43:00 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Jan Willamowius <jan@...lamowius.de> Subject: Re: Re: information request on security bug fix in GNU Gatekeeper 3.1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/25/2012 02:29 AM, Jan Willamowius wrote: > Hi Raphael, > > I was planning to give people a few days to update before > releasing detailed information. > > But you are right, the possibility to create an unlimited number > of connections each with its own thread handling it is the issue > that creates an easy possibility for a DOS attack. > > Regards, Jan Please use CVE-2012-3534 for this issue. > -- Jan Willamowius, Founder of the GNU Gatekeeper Project EMail : > jan@...lamowius.de Website: http://www.gnugk.org Support: > http://www.willamowius.com/gnugk-support.html Raphael Geissert > wrote: >>> Hi Jan, >>> >>> On the announcement of release 3.1 of GNU Gatekeeper[1] there's >>> a mention of a security bug fix. Could you please shed some >>> light on the security issue? is it related to the status port >>> connection limit feature that was recently added in [2] and >>> similar? >>> >>> Thanks in advance. >>> >>> Found via secunia SA50343 [3] >>> >>> [1]http://www.gnugk.org/gnugk-3.1.html >>> [2]http://openh323gk.cvs.sourceforge.net/viewvc/openh323gk/openh323gk/GkStatus.cxx?r1=1.132&r2=1.133 >> >>> > [3]http://secunia.com/advisories/50343/ >>> >>> Kind regards, -- Raphael Geissert - Debian Developer >>> www.debian.org - get.debian.net >>> > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQOvrUAAoJEBYNRVNeJnmTsGYQAIvW6Lz/7nlxSuRwVTqszXpF 00HBW9tMo3SfG50t3UOlRHJhj8t0wEzcItCNtk6zacm23BnM/spg4q64gNlgJJLP UT6FQ8TTGRD618pxO9GkT4x4Eb9pN4oFkgl4jr9aC/N8Vxrk/9D5zETWUfPQV0Ok WdZmN6EmrX1V94RwJ5SvFrdZSPk+PyFDJiC5wkmhYVO6oyUDr144UxOCtvyB3aqx 5cqc+oJBABX9ONNm1RWDVtMNd/kt0knGMYrtlJAUfZYyySn3OGdUZKICzi8/gsCK 3HgYN+OByZmvtJA38JcKHjntgs4+lS5trpVGAWfzVW1QeToOWqO/4m6Jcq78MPrm 5BiQ3Zck+RZnGPXH6lNqNeBmSYNyzR4++GlmLgT4AFHEq6NNs0T4sUJwQ8+33wKe CnvJWvDXsVyw2PQ6r4rW3w/qPMtcGTHn5EQNL4VsYy34gN4NJuMcSmr808H/cBgE b2f92MuyRogQtI2jAB+5JX8Ig3w92LocMZNi9kDjjB89tgIANhm9F194ta4pQTU+ Jh6+vzc8czNDGKT9L5CGlkUnbfg+JSk6PbO05Bc3oTCDKFtvWiqq+IhG88bBosh9 3TEGSU6jZLdsgVt+amtts7YOByntH67o0m4jBTnBmQIp9UbELw/7XnG0ZMdPtOU/ BI5KHJXru5Fdg2RMXgHh =Vnji -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.