Add further notes on CVE-2004-2687/distcc

The 2.18.1-1 upload already made the --allow option mandatory for daemon mode, thus distccd would refuse to run without an IP access control list. Upstream bug https://github.com/distcc/distcc/issues/155
author: Salvatore Bonaccorso <carnil@debian.org> 2018-12-15 08:43:44 +0100
committer: Salvatore Bonaccorso <carnil@debian.org> 2018-12-15 08:43:44 +0100
commit: 12fe2b5574bd15bd741ddfc14cd34c642eca19aa (patch)
tree: a23104378aeb7c9a41108f56400137cad38b3ce6 /data/CVE/2004.list
parent: c5fe35d466ae2efb98ecfd7fb1f1eb163bb0550a (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/data/CVE/2004.list b/data/CVE/2004.list
index f1acfcb5e1..5a5ef9521c 100644
--- a/data/CVE/2004.list
+++ b/data/CVE/2004.list
@@ -197,6 +197,9 @@ CVE-2004-2688 (Cross-site scripting (XSS) vulnerability in index.php in NewsPHP
 CVE-2004-2687 (distcc 2.x, as used in XCode 1.5 and others, when not configured to ...)
 	- distcc 2.18.1-1 (low)
 	NOTE: since 2.18.1-1 there is the --allow switch to control network access
+	NOTE: https://github.com/distcc/distcc/issues/155
+	NOTE: Fix in depth is only in later version 3.3, cf.
+	NOTE: https://bugs.debian.org/892973
 CVE-2004-2686 (Directory traversal vulnerability in the vfs_getvfssw function in ...)
 	NOT-FOR-US: Solaris
 CVE-2004-2685 (Buffer overflow in YoungZSoft CCProxy 6.2 and earlier allows remote ...)
author	Salvatore Bonaccorso <carnil@debian.org>	2018-12-15 08:43:44 +0100
committer	Salvatore Bonaccorso <carnil@debian.org>	2018-12-15 08:43:44 +0100
commit	12fe2b5574bd15bd741ddfc14cd34c642eca19aa (patch)
tree	a23104378aeb7c9a41108f56400137cad38b3ce6 /data/CVE/2004.list
parent	c5fe35d466ae2efb98ecfd7fb1f1eb163bb0550a (diff)