Net::Server: Format string vulnerability — GLSA 200608-18

A format string vulnerability has been reported in Net::Server which can be exploited to cause a Denial of Service.

Affected packages

dev-perl/net-server on all architectures
Affected versions < 0.88
Unaffected versions >= 0.88

Background

Net::Server is an extensible, generic Perl server engine. It is used by several Perl applications like Postgrey.

Description

The log function of Net::Server does not handle format string specifiers properly before they are sent to syslog.

Impact

By sending a specially crafted datastream to an application using Net::Server, an attacker could cause a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All Net::Server should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-perl/net-server-0.88"

References

Release date
August 10, 2006

Latest revision
August 10, 2006: 01

Severity
normal

Exploitable
remote

Bugzilla entries