From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev-return-5799-arch-gentoo-dev=gentoo.org@gentoo.org>
Received: (qmail 29980 invoked by uid 1002); 19 Aug 2003 23:08:27 -0000
Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Help: <mailto:gentoo-dev-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Received: (qmail 26243 invoked from network); 19 Aug 2003 23:08:27 -0000
From: Rainer Groesslinger <scandium@gentoo.org>
To: gentoo-dev@gentoo.org
Date: Wed, 20 Aug 2003 01:08:30 +0200
User-Agent: KMail/1.5.3
References: <1061333257.14174.2.camel@localhost>
In-Reply-To: <1061333257.14174.2.camel@localhost>
MIME-Version: 1.0
Content-Type: multipart/signed;
  protocol="application/pgp-signature";
  micalg=pgp-sha1;
  boundary="Boundary-02=_y3qQ/bAFH/iPoxS";
  charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Message-Id: <200308200108.34719.scandium@gentoo.org>
Subject: Re: [gentoo-dev] Security Problems: xmule, lmule
X-Archives-Salt: 6d1ba15e-5d2e-4cd1-b499-2a681c21ede1
X-Archives-Hash: 8ad6bb28870a0cc207b2eefd7b88f542

--Boundary-02=_y3qQ/bAFH/iPoxS
Content-Type: text/plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Wednesday 20 August 2003 00:47, Patrick Lauer wrote:
> Hi,
>
> yesterday I found this:
> http://www.heise.de/newsticker/data/dab-18.08.03-000/ (in german)
>
> http://lists.netsys.com/pipermail/full-disclosure/2003-August/008449.
>html (english)
>
> short summary:
> all emule, lmule and xmule versions are vulnerable to buffer
> overflows including execution of malicious code.
>
> xmule 1.4.3 (portage current) is very vulnerable.
> xmule 1.5.6 (latest from xmule website) does not fix all known
> vulnerabilities.
>
> Please discourage the use of lmule and xmule until fixed versions are
> available.

lmule was removed from the tree several weeks ago because it isn't=20
developed anymore and unsupported for a few months now.

The problem - indeed - is, that even their latest unstable release=20
(1.5.6a) doesn't fix the problem and I observe xmule sharply and am=20
waiting for a fixed release or at least a patch.

I added an einfo about the security hole in all the xmule ebuilds and I=20
hope they release 1.4.4 or something soon (which will immediatly be=20
arch of course)

=2D-=20
Rainer Groesslinger
http://dev.gentoo.org/~scandium/

--Boundary-02=_y3qQ/bAFH/iPoxS
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA/Qq3yErhp0AgHraoRAnFaAJ9zwLrs+0RB6e6VxqmR38EAGJSiagCffwFy
0E0J8bpIGdFgRQB0o2gFMBU=
=cqSG
-----END PGP SIGNATURE-----

--Boundary-02=_y3qQ/bAFH/iPoxS--