Re: [bug-serveez] Serveez Information Leak Vulnerability

[Raimund 'Raimi' Jacob-Blödorn]

On 11/23/19 1:30 AM, Austin James Gadient wrote:

Hello Austin!

Thanks for being persistent! I am awfully sorry, but I have very little 
time for this. And there are problems.

TL;DR: I applied your patch to both the "master" (0.2.2) and "next" 
(0.2.3) branches (and pushed them). However, I cannot make an official 
release.

Problem: I am unable to even get the build system to work. Somewhen 
around 2011 ttn started using guile-baux-tool, which I do not know and 
cannot find (no Debian package, no sources, nothing). This tool may be 
known in the guile world, but I am not at all a guile programmer.

So, i cannot autogen.sh, nor can I "configure" nor can I "make" or test 
or anything.

Furthermore, the "next" branch seems to contain some unfinished changes 
regarding some macros, so a 0.2.3 release would need even more attention.

Also, ttn disappeared. I'm afraid their email does not work anymore and 
I lost track.


I'd really, really like to have everything fixed, compiling and working. 
But I need some serious help!

Thanks,

        Raimund.


> Just checking in. The CVE has been published here: 
> https://nvd.nist.gov/vuln/detail/CVE-2019-16200.
> Did the patch file work? Will you push the patch for the bug?
>
> Thanks,
> Austin
>
> ________________________________________
> From: bug-serveez <bug-serveez-bounces+agadient=address@hidden> on behalf of Austin 
> James Gadient <address@hidden>
> Sent: Saturday, November 16, 2019 9:00 AM
> To: Raimund 'Raimi' Jacob-Blödorn; address@hidden
> Subject: Re: [bug-serveez] Serveez Information Leak Vulnerability
>
> Hi Raimund,
>
> Did that patch file work for you?
>
> Thanks,
> Austin
> ________________________________________
> From: Austin James Gadient
> Sent: Saturday, November 9, 2019 8:07 PM
> To: Raimund 'Raimi' Jacob-Blödorn; address@hidden
> Subject: Re: [bug-serveez] Serveez Information Leak Vulnerability
>
> Hi Raimund,
>
> Ah sorry about that and no problem!
>
> I have attached a patch file that you should be able to apply from the 
> serveez-0.2.2 directory.
>
> Let me know if you have any issues and thank you for your time!
>
> Best Regards,
> Austin
> ________________________________________
> From: Raimund 'Raimi' Jacob-Blödorn <address@hidden>
> Sent: Saturday, November 9, 2019 10:58 AM
> To: Austin James Gadient; address@hidden
> Subject: Re: [bug-serveez] Serveez Information Leak Vulnerability
>
> On 11/7/19 5:57 PM, Austin James Gadient wrote:
>
> Hello Austin!
>
> > Just following up. Have you had a chance to look at this?
>
> Well, I cannot do much with your Mac OS compilation attempts.
>
> I tried to diff your sources against the "next" branch of the serveez
> git repository but could not identify any change of yours.
>
> If I understand you correctly, it should be sufficient to make
> http->contentlength an unsigned int (and/or have an arbitrary cap somwhere).
>
> I am really sorry to have so little time to investigate. But if you send
> mit a simple diff I'll do my best to apply it.
>
> Greetings,
>
>          Raimund
>
>
> _______________________________________________
> bug-serveez mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/bug-serveez
>
> _______________________________________________
> bug-serveez mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/bug-serveez