Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4AD840CD.7090400@redhat.com>
Date: Fri, 16 Oct 2009 11:45:49 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>
Subject: CVE Request - aria2 - 1.6.2

Hello Steve, vendors,

   aria2 upstream has released latest 1.6.2 release, fixing one DoS issue. From
1.6.2 Release Note:

This release fixes segmentation fault error if URI to download
contains printf format string and logging is enabled

* Fixed the bug that causes segmentation fault if
    req->getCurrentUrl() contains printf format string such as %d. The
    statement that causes this bug is useless and removed.


References:
-----------
http://aria2.svn.sourceforge.net/viewvc/aria2/trunk/NEWS?revision=1586
https://bugzilla.redhat.com/show_bug.cgi?id=529342

Upstream patch:
---------------
http://aria2.svn.sourceforge.net/viewvc/aria2/trunk/src/AbstractCommand.cc?r1=1539&r2=1572

Affected versions:
------------------
aria2-1.5.x && aria2-1.6.x (aria2-1.3.x is not vulnerable)

Could you allocate a CVE identifier?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.