Bug 1209214 - CVE-2015-2927 node: SIGQUIT fails [fedora-all]
Summary: CVE-2015-2927 node: SIGQUIT fails [fedora-all]
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: node
Version: 27
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lucian Langa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: CVE-2015-2927
TreeView+ depends on / blocked
 
Reported: 2015-04-06 17:30 UTC by Iain R. Learmonth
Modified: 2018-11-27 15:32 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Debian BTS 777013 None None None Never

Description Iain R. Learmonth 2015-04-06 17:30:55 UTC
If a user does "ctrl-]+q" out of a telnet session (forcing it closed),
when node is told to quit via SIGQUIT it does not clean up properly.

For node (unlike, say, a generic telnetd), this is a relatively
important vulnerability because a TCP connection usually occurs over
a very low-bandwidth radio path.

This bug was originally filed against the Debian package, but also
affects the Fedora package. The Debian bug is available at:

 * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777013

This issue has been assigned a CVE: CVE-2015-2927.

  * http://www.openwall.com/lists/oss-security/2015/04/06/3

Comment 1 Jan Kurik 2015-07-15 14:18:47 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 2 Eric Christensen 2015-12-04 19:38:30 UTC
Updated priority and severity to match CVE impact level (moderate).

Comment 3 Iain R. Learmonth 2015-12-04 20:06:11 UTC
Hi,

For information -

We have removed this package from Debian and packaged UROnode as a replacement as it provides the same functionality and is an actively maintained fork of this software. This decision was made by the Debian Hamradio Maintainers (debian-hams@lists.debian.org) with input from TAPR.

Thanks,
Iain.

Comment 4 Fedora End Of Life 2016-11-24 11:39:36 UTC
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 5 Iain R. Learmonth 2016-11-28 15:19:09 UTC
This still affects Fedora 24 and later.

Comment 6 Fedora End Of Life 2017-07-25 18:53:03 UTC
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 7 Jan Kurik 2017-08-08 11:29:33 UTC
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is
no longer maintained, which means that it will not receive any further
security or bug fix updates.

As this is a security big we are moving this bug to the currently latest
supported release. Please check whether this bug is still applicable.

Comment 8 Fedora End Of Life 2017-11-16 19:06:44 UTC
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 9 Jan Kurik 2018-05-31 07:28:40 UTC
This bug has been reported against a Fedora version which is already unsuported.
In compliance with FESCo decision how to handle EOL of Security issues [1],
I am changing the version to '27', the latest supported release.

Please check whether this bug is still an issue on the '27' release.
If you find this bug not being applicable on this release, please close it.

[1] https://pagure.io/fesco/issue/1736

Comment 10 Ben Cotton 2018-11-27 15:32:46 UTC
This message is a reminder that Fedora 27 is nearing its end of life.
On 2018-Nov-30  Fedora will stop maintaining and issuing updates for
Fedora 27. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora  'version' of '27'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 27 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.


Note You need to log in before you can comment on or make changes to this bug.