-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 9 Jun 2008 06:36:18 +0000 Source: mt-daapd Binary: mt-daapd Architecture: source amd64 Version: 0.2.4+r1376-1.1+etch1 Distribution: stable-security Urgency: high Maintainer: Joshua Kwan <joshk@triplehelix.org> Changed-By: Devin Carraway <devin@debian.org> Description: mt-daapd - iTunes-compatible DAAP server Closes: 459961 476241 Changes: mt-daapd (0.2.4+r1376-1.1+etch1) stable-security; urgency=high . * Non-maintainer upload by the security team * Apply backport of upstream fixes for two related vulnerabilities (Closes: #459961): + CVE-2007-5824: Remote denial-of-service through a null pointer dereference in src/webserver.c's authorization header handling + CVE-2007-5825: Remote arbitrary code execution through a format string vulnerability in authorization header of an /xml-rpc request * Apply fix from Nico Golde <nion@debian.org> for CVE-2008-1771, an integer overflow vulnerability also in src/webserver.c, potentilly enabling execution of arbitrary code (Closes: #476241) Files: a303c40811df75fd395c28485d038ceb 765 sound optional mt-daapd_0.2.4+r1376-1.1+etch1.dsc c427c26e93914290b7cd615835ea333a 995301 sound optional mt-daapd_0.2.4+r1376.orig.tar.gz a565dacb5773182a44b367b6c78a0da8 8929 sound optional mt-daapd_0.2.4+r1376-1.1+etch1.diff.gz 9297976354240c5a75b2c3636fe0746d 610844 sound optional mt-daapd_0.2.4+r1376-1.1+etch1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFITOyZU5XKDemr/NIRAjnwAKDPSxgW//tr2N7GewWAvyUIHWYS3QCeNlN2 A3JUS/iPA+M/yIpWDPGPlBc= =bwia -----END PGP SIGNATURE----- Accepted: mt-daapd_0.2.4+r1376-1.1+etch1.diff.gz to pool/main/m/mt-daapd/mt-daapd_0.2.4+r1376-1.1+etch1.diff.gz mt-daapd_0.2.4+r1376-1.1+etch1.dsc to pool/main/m/mt-daapd/mt-daapd_0.2.4+r1376-1.1+etch1.dsc mt-daapd_0.2.4+r1376-1.1+etch1_amd64.deb to pool/main/m/mt-daapd/mt-daapd_0.2.4+r1376-1.1+etch1_amd64.deb
