successfully exploit the code, you would need to enable socks5
traversal (default off) and connect to the attacker's own custom
proxy server.
If you never intend to use a Socks5 proxy, you are not affected at
all by this issue.
http://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html
ok pvalchev@
There is a path-sanitizing bug that affects daemon mode in all
recent rsync versions (including 2.6.2) but only if chroot is
disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred. It does affect
certain option paths that cause auxiliary files to be read or
written.
http://rsync.samba.org/#security_aug04
Gaim contains several remote overflows related to the MSN-protocol
parsing functions that may allow remote code execution.
The added patch fixes these issues.
ok brad@, pvalchev@
remove patches that break renaming of files (filedir.c) and cause
incorrect directory creation date (directory.c)
from John.Benninghoff@rbcdain.com
if someone (who can actually test this) wants to, feel free to fix
Upgrade to 2.2.10:
Fixes a buffer overrun in the code
used to support the 'manglin method = hash'
smb.conf option.
from peter@, little modification by me;
a dozen remote holes being fixed, that we shipped with. Weeks later
things have not improved, and there continue to be problems reported
to bugtraq, and respective band-aids - but it is clear the ethereal
team does not care about security, as new protocols get added, and
nothing gets done about the many more holes that exist.
Maybe someone will at least privilege separate this one day, and then
the OpenBSD stance with respect to this may change.
Encouraging people to run broken software by distributing packages
with known security holes is not desired by any of us.
