Bug#299807: marked as done (omniORB potentially vulnerable against DoS)

Debian Bug Tracking System Mon, 21 Mar 2005 00:38:04 -0800

Your message dated Mon, 21 Mar 2005 03:17:53 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#299807: fixed in omniorb4 4.0.5-2
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Mar 2005 17:38:25 +0000
>From [EMAIL PROTECTED] Wed Mar 16 09:38:25 2005
Return-path: <[EMAIL PROTECTED]>
Received: from einhorn.in-berlin.de [192.109.42.8] (root)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DBcTQ-0002hT-00; Wed, 16 Mar 2005 09:38:25 -0800
X-Envelope-From: [EMAIL PROTECTED]
X-Envelope-To: <[EMAIL PROTECTED]>
Received: from einhorn.in-berlin.de (localhost [127.0.0.1])
        by einhorn.in-berlin.de (8.12.10/8.12.10/Debian-4) with ESMTP id 
j2GHcHti015164
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
        for <[EMAIL PROTECTED]>; Wed, 16 Mar 2005 18:38:17 +0100
Received: (from [EMAIL PROTECTED])
        by einhorn.in-berlin.de (8.12.10/8.12.10/Debian-4) id j2GHcDAL015137
        for [EMAIL PROTECTED]; Wed, 16 Mar 2005 18:38:13 +0100
X-Authentication-Warning: einhorn.in-berlin.de: www-data set sender to [EMAIL 
PROTECTED] using -f
Received: from port-213-148-143-146.static.qsc.de 
(port-213-148-143-146.static.qsc.de [213.148.143.146]) 
        by webmail.in-berlin.de (IMP) with HTTP 
        for <[EMAIL PROTECTED]>; Wed, 16 Mar 2005 18:38:12 +0100
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 16 Mar 2005 18:38:12 +0100
From: "W. Borgert" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: omniORB potentially vulnerable against DoS
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2.6
X-Spam-Score: (-2.398) ALL_TRUSTED,AWL,BAYES_00
X-Scanned-By: MIMEDefang_at_IN-Berlin_e.V. on 192.109.42.8
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: libomniorb4
Version: 4.0.5-1
Severity: grave
Tags: patch

In case of setting serverCallTimeOutPeriod in /etc/omniORB4.cfg
or by command line, omniORB does not honour the timeout which
leads to inaccessibility of any server application, if too many
client connections are not closed by the client side.

The patch is by Duncan Grisby (omniORB upstream) and will
be included in CVS and upcoming 4.0.6, I hope.

diff -u -r1.1.4.21 giopStrand.cc
--- src/lib/omniORB/orbcore/giopStrand.cc 17 Oct 2004 21:48:40 -0000 1.1.4.21
+++ src/lib/omniORB/orbcore/giopStrand.cc 16 Mar 2005 09:15:29 -0000
@@ -540,10 +540,12 @@
     giop_s->giopStreamList::insert(servers);
   }

-  if (remove && giop_s->state() != IOP_S::WaitingForReply)
-    delete giop_s;
-  else
-    restart_idle = 0;
+  if (remove) {
+    if (giop_s->state() != IOP_S::WaitingForReply)
+      delete giop_s;
+    else
+      restart_idle = 0;
+  }

   if (restart_idle && !biDir) {
     CORBA::Boolean success = startIdleCounter();

---------------------------------------
Received: (at 299807-close) by bugs.debian.org; 21 Mar 2005 08:24:22 +0000
>From [EMAIL PROTECTED] Mon Mar 21 00:24:22 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DDICz-0006UH-00; Mon, 21 Mar 2005 00:24:21 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
        id 1DDI6j-0005uR-00; Mon, 21 Mar 2005 03:17:53 -0500
From: Bastian Blank <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#299807: fixed in omniorb4 4.0.5-2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 21 Mar 2005 03:17:53 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: omniorb4
Source-Version: 4.0.5-2

We believe that the bug you reported is fixed in the latest version of
omniorb4, which is due to be installed in the Debian FTP archive:

libcos4-dev_4.0.5-2_i386.deb
  to pool/main/o/omniorb4/libcos4-dev_4.0.5-2_i386.deb
libcos4_4.0.5-2_i386.deb
  to pool/main/o/omniorb4/libcos4_4.0.5-2_i386.deb
libomniorb4-dev_4.0.5-2_i386.deb
  to pool/main/o/omniorb4/libomniorb4-dev_4.0.5-2_i386.deb
libomniorb4_4.0.5-2_i386.deb
  to pool/main/o/omniorb4/libomniorb4_4.0.5-2_i386.deb
libomnithread3-dev_4.0.5-2_i386.deb
  to pool/main/o/omniorb4/libomnithread3-dev_4.0.5-2_i386.deb
libomnithread3_4.0.5-2_i386.deb
  to pool/main/o/omniorb4/libomnithread3_4.0.5-2_i386.deb
omniidl4_4.0.5-2_i386.deb
  to pool/main/o/omniorb4/omniidl4_4.0.5-2_i386.deb
omniorb4-doc_4.0.5-2_all.deb
  to pool/main/o/omniorb4/omniorb4-doc_4.0.5-2_all.deb
omniorb4-idl_4.0.5-2_all.deb
  to pool/main/o/omniorb4/omniorb4-idl_4.0.5-2_all.deb
omniorb4-nameserver_4.0.5-2_i386.deb
  to pool/main/o/omniorb4/omniorb4-nameserver_4.0.5-2_i386.deb
omniorb4_4.0.5-2.diff.gz
  to pool/main/o/omniorb4/omniorb4_4.0.5-2.diff.gz
omniorb4_4.0.5-2.dsc
  to pool/main/o/omniorb4/omniorb4_4.0.5-2.dsc
omniorb4_4.0.5-2_i386.deb
  to pool/main/o/omniorb4/omniorb4_4.0.5-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Blank <[EMAIL PROTECTED]> (supplier of updated omniorb4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 20 Mar 2005 11:13:56 +0100
Source: omniorb4
Binary: omniorb4-doc libomnithread3 omniidl4 libcos4 omniorb4-nameserver 
libomnithread3-dev libcos4-dev omniorb4 libomniorb4-dev omniorb4-idl libomniorb4
Architecture: source i386 all
Version: 4.0.5-2
Distribution: unstable
Urgency: high
Maintainer: Bastian Blank <[EMAIL PROTECTED]>
Changed-By: Bastian Blank <[EMAIL PROTECTED]>
Description: 
 libcos4    - omniORB4 - CORBA ORB - libcos4
 libcos4-dev - omniORB4 - CORBA ORB - libcos4 - developer files
 libomniorb4 - omniORB4 - CORBA ORB - libomniorb4
 libomniorb4-dev - omniORB4 - CORBA ORB - developer files
 libomnithread3 - omniORB4 - CORBA ORB - libomnithread3
 libomnithread3-dev - omniORB4 - CORBA ORB - developer files
 omniidl4   - omniORB4 - idl compiler
 omniorb4   - omniORB4 - CORBA ORB - programs
 omniorb4-doc - omniORB4 - CORBA ORB - documentation
 omniorb4-idl - omniORB4 - CORBA ORB - idl files
 omniorb4-nameserver - omniORB4 - CORBA ORB - nameserver
Closes: 299807
Changes: 
 omniorb4 (4.0.5-2) unstable; urgency=high
 .
   * Fix DoS. (closes: #299807)
Files: 
 fd7fcacc90a8de0a4e06cdadf4ecb5f2 760 devel optional omniorb4_4.0.5-2.dsc
 772534b86b8009207eb428d1822df6e8 7104 devel optional omniorb4_4.0.5-2.diff.gz
 6cd49ceee9f02905844d8c1af1cfa3c7 89384 devel optional 
omniorb4-idl_4.0.5-2_all.deb
 465f91ed3c29cd84a16fe5d81e7568f9 129128 doc optional 
omniorb4-doc_4.0.5-2_all.deb
 4ff686d97b9fa66f112d031b7b4696d1 84368 devel optional omniorb4_4.0.5-2_i386.deb
 202a6264913612440ac215543eb643e4 86624 devel optional 
omniorb4-nameserver_4.0.5-2_i386.deb
 bfe79e11f927c626c6591bc5917e4d8c 540710 libs optional libcos4_4.0.5-2_i386.deb
 ef5819af722f99a39ec3b534e4f431ba 650804 libdevel optional 
libcos4-dev_4.0.5-2_i386.deb
 6e44fa39a3b7d721df2fcd569c4691fe 1149750 libs optional 
libomniorb4_4.0.5-2_i386.deb
 5da230c75cfff9281e07f2327c25e5d7 1634336 libdevel optional 
libomniorb4-dev_4.0.5-2_i386.deb
 28f7d47421cd79c21fa19f670c0ae7ba 57324 libs optional 
libomnithread3_4.0.5-2_i386.deb
 f06c6d82d4f9f5e32b04d9a3c3429592 64078 libdevel optional 
libomnithread3-dev_4.0.5-2_i386.deb
 68bcdee2c081634729937df46bca6371 340938 devel optional 
omniidl4_4.0.5-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iEYEARECAAYFAkI+ffsACgkQLkAIIn9ODhHa1ACfZcLxNHiZnt3kc/vlEYhwmr3l
vgwAmwbfnRW+GsKJOz+Pcu1zzfx8Glww
=aUuz
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#299807: marked as done (omniORB potentially vulnerable against DoS)

Reply via email to