Add further notes on CVE-2004-2687/distcc

The 2.18.1-1 upload already made the --allow option mandatory for daemon mode, thus distccd would refuse to run without an IP access control list. Upstream bug https://github.com/distcc/distcc/issues/155
author: Salvatore Bonaccorso <carnil@debian.org> 2018-12-15 08:43:44 +0100
committer: Salvatore Bonaccorso <carnil@debian.org> 2018-12-15 08:43:44 +0100
commit: 28d319053e60d29d7e4ec0eb00ed3f8413ccada6 (patch)
tree: fde952b75012e2b5fe7c0abb3ae869dab946229e /data/CVE/list.2004
parent: fe583a321e088e7cfa58946be32b62ae0076ccfd (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/data/CVE/list.2004 b/data/CVE/list.2004
index f1acfcb5e1..5a5ef9521c 100644
--- a/data/CVE/list.2004
+++ b/data/CVE/list.2004
@@ -197,6 +197,9 @@ CVE-2004-2688 (Cross-site scripting (XSS) vulnerability in index.php in NewsPHP
 CVE-2004-2687 (distcc 2.x, as used in XCode 1.5 and others, when not configured to ...)
 	- distcc 2.18.1-1 (low)
 	NOTE: since 2.18.1-1 there is the --allow switch to control network access
+	NOTE: https://github.com/distcc/distcc/issues/155
+	NOTE: Fix in depth is only in later version 3.3, cf.
+	NOTE: https://bugs.debian.org/892973
 CVE-2004-2686 (Directory traversal vulnerability in the vfs_getvfssw function in ...)
 	NOT-FOR-US: Solaris
 CVE-2004-2685 (Buffer overflow in YoungZSoft CCProxy 6.2 and earlier allows remote ...)
author	Salvatore Bonaccorso <carnil@debian.org>	2018-12-15 08:43:44 +0100
committer	Salvatore Bonaccorso <carnil@debian.org>	2018-12-15 08:43:44 +0100
commit	28d319053e60d29d7e4ec0eb00ed3f8413ccada6 (patch)
tree	fde952b75012e2b5fe7c0abb3ae869dab946229e /data/CVE/list.2004
parent	fe583a321e088e7cfa58946be32b62ae0076ccfd (diff)