Re: [bug-serveez] Serveez Information Leak Vulnerability

[Austin James Gadient]

Hi Raimund,

I'm happy to help you make it build.
I will send over instructions sometime this week for the master branch.
I haven't worked with the next branch so I'm not sure how to make that go.

Thank you!

________________________________________
From: Raimund 'Raimi' Jacob-Blödorn <address@hidden>
Sent: Saturday, November 23, 2019 4:12 PM
To: Austin James Gadient; address@hidden
Cc: Thien-Thi Nguyen
Subject: Re: [bug-serveez] Serveez Information Leak Vulnerability

On 11/23/19 1:30 AM, Austin James Gadient wrote:

Hello Austin!

Thanks for being persistent! I am awfully sorry, but I have very little
time for this. And there are problems.

TL;DR: I applied your patch to both the "master" (0.2.2) and "next"
(0.2.3) branches (and pushed them). However, I cannot make an official
release.

Problem: I am unable to even get the build system to work. Somewhen
around 2011 ttn started using guile-baux-tool, which I do not know and
cannot find (no Debian package, no sources, nothing). This tool may be
known in the guile world, but I am not at all a guile programmer.

So, i cannot autogen.sh, nor can I "configure" nor can I "make" or test
or anything.

Furthermore, the "next" branch seems to contain some unfinished changes
regarding some macros, so a 0.2.3 release would need even more attention.

Also, ttn disappeared. I'm afraid their email does not work anymore and
I lost track.


I'd really, really like to have everything fixed, compiling and working.
But I need some serious help!

Thanks,

        Raimund.


> Just checking in. The CVE has been published here: 
> https://nvd.nist.gov/vuln/detail/CVE-2019-16200.
> Did the patch file work? Will you push the patch for the bug?
>
> Thanks,
> Austin
>
> ________________________________________
> From: bug-serveez <bug-serveez-bounces+agadient=address@hidden> on behalf of 
> Austin James Gadient <address@hidden>
> Sent: Saturday, November 16, 2019 9:00 AM
> To: Raimund 'Raimi' Jacob-Blödorn; address@hidden
> Subject: Re: [bug-serveez] Serveez Information Leak Vulnerability
>
> Hi Raimund,
>
> Did that patch file work for you?
>
> Thanks,
> Austin
> ________________________________________
> From: Austin James Gadient
> Sent: Saturday, November 9, 2019 8:07 PM
> To: Raimund 'Raimi' Jacob-Blödorn; address@hidden
> Subject: Re: [bug-serveez] Serveez Information Leak Vulnerability
>
> Hi Raimund,
>
> Ah sorry about that and no problem!
>
> I have attached a patch file that you should be able to apply from the 
> serveez-0.2.2 directory.
>
> Let me know if you have any issues and thank you for your time!
>
> Best Regards,
> Austin
> ________________________________________
> From: Raimund 'Raimi' Jacob-Blödorn <address@hidden>
> Sent: Saturday, November 9, 2019 10:58 AM
> To: Austin James Gadient; address@hidden
> Subject: Re: [bug-serveez] Serveez Information Leak Vulnerability
>
> On 11/7/19 5:57 PM, Austin James Gadient wrote:
>
> Hello Austin!
>
>> Just following up. Have you had a chance to look at this?
>
> Well, I cannot do much with your Mac OS compilation attempts.
>
> I tried to diff your sources against the "next" branch of the serveez
> git repository but could not identify any change of yours.
>
> If I understand you correctly, it should be sufficient to make
> http->contentlength an unsigned int (and/or have an arbitrary cap somwhere).
>
> I am really sorry to have so little time to investigate. But if you send
> mit a simple diff I'll do my best to apply it.
>
> Greetings,
>
>          Raimund
>
>
> _______________________________________________
> bug-serveez mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/bug-serveez
>
> _______________________________________________
> bug-serveez mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/bug-serveez
>