From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev-return-5801-arch-gentoo-dev=gentoo.org@gentoo.org>
Received: (qmail 5949 invoked by uid 1002); 19 Aug 2003 23:26:03 -0000
Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Help: <mailto:gentoo-dev-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Received: (qmail 21203 invoked from network); 19 Aug 2003 23:26:02 -0000
From: Patrick Lauer <gentoo@toso-digitals.de>
To: Rainer Groesslinger <scandium@gentoo.org>
Cc: gentoo-dev@gentoo.org
In-Reply-To: <200308200108.34719.scandium@gentoo.org>
References: <1061333257.14174.2.camel@localhost>
	 <200308200108.34719.scandium@gentoo.org>
Content-Type: text/plain
Message-Id: <1061335558.14357.7.camel@localhost>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.3 
Date: 20 Aug 2003 01:25:58 +0200
Content-Transfer-Encoding: 7bit
Subject: Re: [gentoo-dev] Security Problems: xmule, lmule
X-Archives-Salt: 5b302dc4-152a-4266-b596-a1103a03a48a
X-Archives-Hash: 8462d046a7fe3b88ded12279e85f522d

On Wed, 2003-08-20 at 01:08, Rainer Groesslinger wrote:
> On Wednesday 20 August 2003 00:47, Patrick Lauer wrote:
[snip]
> > Please discourage the use of lmule and xmule until fixed versions are
> > available.
> 
> lmule was removed from the tree several weeks ago because it isn't 
> developed anymore and unsupported for a few months now.
ok

> The problem - indeed - is, that even their latest unstable release 
> (1.5.6a) doesn't fix the problem and I observe xmule sharply and am 
> waiting for a fixed release or at least a patch.
I recommend masking _all_ versions at the moment and issuing a GLSA.
Maybe I'm overreacting, but I do not wish to have my computer rooted :)

> I added an einfo about the security hole in all the xmule ebuilds and I 
> hope they release 1.4.4 or something soon (which will immediatly be 
> arch of course)
That's good, but I don't think it's adequate since not everybody
reinstalls xmule every day _and_ reads all einfo lines scrolling by.

Btw, what's the official way for reporting vulnerabilities?
On the website I found almost nothing ... maybe this could be made
easier? Or did I miss something really obvious?

Thanks for the almost instantaneous response,

Patrick Lauer


--
gentoo-dev@gentoo.org mailing list