On Wednesday 20 August 2003 00:47, Patrick Lauer wrote:
> Hi,
>
> yesterday I found this:
> http://www.heise.de/newsticker/data/dab-18.08.03-000/ (in german)
>
> http://lists.netsys.com/pipermail/full-disclosure/2003-August/008449.
>html (english)
>
> short summary:
> all emule, lmule and xmule versions are vulnerable to buffer
> overflows including execution of malicious code.
>
> xmule 1.4.3 (portage current) is very vulnerable.
> xmule 1.5.6 (latest from xmule website) does not fix all known
> vulnerabilities.
>
> Please discourage the use of lmule and xmule until fixed versions are
> available.

lmule was removed from the tree several weeks ago because it isn't 
developed anymore and unsupported for a few months now.

The problem - indeed - is, that even their latest unstable release 
(1.5.6a) doesn't fix the problem and I observe xmule sharply and am 
waiting for a fixed release or at least a patch.

I added an einfo about the security hole in all the xmule ebuilds and I 
hope they release 1.4.4 or something soon (which will immediatly be 
arch of course)

-- 
Rainer Groesslinger
http://dev.gentoo.org/~scandium/