Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 26 Aug 2012 22:43:00 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Willamowius <jan@...lamowius.de>
Subject: Re: Re: information request on security bug fix in
 GNU Gatekeeper 3.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/25/2012 02:29 AM, Jan Willamowius wrote:
> Hi Raphael,
> 
> I was planning to give people a few days to update before
> releasing detailed information.
> 
> But you are right, the possibility to create an unlimited number
> of connections each with its own thread handling it is the issue
> that creates an easy possibility for a DOS attack.
> 
> Regards, Jan

Please use CVE-2012-3534 for this issue.

> -- Jan Willamowius, Founder of the GNU Gatekeeper Project EMail : 
> jan@...lamowius.de Website: http://www.gnugk.org Support: 
> http://www.willamowius.com/gnugk-support.html Raphael Geissert
> wrote:
>>> Hi Jan,
>>> 
>>> On the announcement of release 3.1 of GNU Gatekeeper[1] there's
>>> a mention of a security bug fix. Could you please shed some
>>> light on the security issue? is it related to the status port
>>> connection limit feature that was recently added in [2] and 
>>> similar?
>>> 
>>> Thanks in advance.
>>> 
>>> Found via secunia SA50343 [3]
>>> 
>>> [1]http://www.gnugk.org/gnugk-3.1.html 
>>> [2]http://openh323gk.cvs.sourceforge.net/viewvc/openh323gk/openh323gk/GkStatus.cxx?r1=1.132&r2=1.133
>>
>>> 
> [3]http://secunia.com/advisories/50343/
>>> 
>>> Kind regards, -- Raphael Geissert - Debian Developer 
>>> www.debian.org - get.debian.net
>>> 
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQOvrUAAoJEBYNRVNeJnmTsGYQAIvW6Lz/7nlxSuRwVTqszXpF
00HBW9tMo3SfG50t3UOlRHJhj8t0wEzcItCNtk6zacm23BnM/spg4q64gNlgJJLP
UT6FQ8TTGRD618pxO9GkT4x4Eb9pN4oFkgl4jr9aC/N8Vxrk/9D5zETWUfPQV0Ok
WdZmN6EmrX1V94RwJ5SvFrdZSPk+PyFDJiC5wkmhYVO6oyUDr144UxOCtvyB3aqx
5cqc+oJBABX9ONNm1RWDVtMNd/kt0knGMYrtlJAUfZYyySn3OGdUZKICzi8/gsCK
3HgYN+OByZmvtJA38JcKHjntgs4+lS5trpVGAWfzVW1QeToOWqO/4m6Jcq78MPrm
5BiQ3Zck+RZnGPXH6lNqNeBmSYNyzR4++GlmLgT4AFHEq6NNs0T4sUJwQ8+33wKe
CnvJWvDXsVyw2PQ6r4rW3w/qPMtcGTHn5EQNL4VsYy34gN4NJuMcSmr808H/cBgE
b2f92MuyRogQtI2jAB+5JX8Ig3w92LocMZNi9kDjjB89tgIANhm9F194ta4pQTU+
Jh6+vzc8czNDGKT9L5CGlkUnbfg+JSk6PbO05Bc3oTCDKFtvWiqq+IhG88bBosh9
3TEGSU6jZLdsgVt+amtts7YOByntH67o0m4jBTnBmQIp9UbELw/7XnG0ZMdPtOU/
BI5KHJXru5Fdg2RMXgHh
=Vnji
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ