Re: [SECURITY] [DSA-2158-1] cgiirc security update

2011-02-23 Thread Thijs Kinkhorst
On Wednesday 23 February 2011 10:12:08 Philipp Kern wrote: > Hi, > > On Wed, Feb 09, 2011 at 09:32:48PM +, Steve Kemp wrote: > > Michael Brooks (Sitewatch) discovered a reflective XSS flaw in > > cgiirc, a web based IRC client, which could lead to the execution > > of arbitrary javascript. > >

Re: [SECURITY] [DSA-2158-1] cgiirc security update

2011-02-23 Thread Sven Hoexter
On Wed, Feb 23, 2011 at 03:11:23PM +0100, Sven Hoexter wrote: > *** An error occurred: Program ending: Bad arg length for Socket::inet_ntoa, > length is 0, should be 4 at /usr/lib/cgi-bin/cgiirc/nph-irc.cgi line 673, > line 7. > > > I'm not sure if that might be IPv6 related. That is indeed v6

Re: [SECURITY] [DSA-2158-1] cgiirc security update

2011-02-23 Thread René Mayorga
On Wed, Feb 23, 2011 at 03:11:23PM +0100, Sven Hoexter wrote: > On Wed, Feb 23, 2011 at 10:12:08AM +0100, Philipp Kern wrote: > > > why wasn't this fixed (e.g. through an NMU) in unstable, too? The > > announcement doesn't even mention unstable albeit it's the same version. > > > There's some u

Re: [SECURITY] [DSA-2158-1] cgiirc security update

2011-02-23 Thread Sven Hoexter
On Wed, Feb 23, 2011 at 10:12:08AM +0100, Philipp Kern wrote: > why wasn't this fixed (e.g. through an NMU) in unstable, too? The > announcement doesn't even mention unstable albeit it's the same version. We currently seem to have a slightly better protection for the unstable package; it doesn'

Re: avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)

2011-02-23 Thread Yann Castells
I can confirm this. Am 23.02.2011 um 13:36 schrieb Alexander Kurtz: > Package: avahi-daemon > Version: 0.6.27-2 > Tags: security > Severity: critical > Justification: Introduces possible denial-of-service scenario. > > Hi, > > when I scan my server from another machine on the network using nmap

avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)

2011-02-23 Thread Alexander Kurtz
Package: avahi-daemon Version: 0.6.27-2 Tags: security Severity: critical Justification: Introduces possible denial-of-service scenario. Hi, when I scan my server from another machine on the network using nmap, I get this: # nmap -sU -p5353 192.168.2.2 Starting Nmap 5.00 ( http:

Re: [SECURITY] [DSA-2158-1] cgiirc security update

2011-02-23 Thread Philipp Kern
Hi, On Wed, Feb 09, 2011 at 09:32:48PM +, Steve Kemp wrote: > Michael Brooks (Sitewatch) discovered a reflective XSS flaw in > cgiirc, a web based IRC client, which could lead to the execution > of arbitrary javascript. > > For the old-stable distribution (lenny), this problem has been fixed