From 28d319053e60d29d7e4ec0eb00ed3f8413ccada6 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 15 Dec 2018 08:43:44 +0100
Subject: Add further notes on CVE-2004-2687/distcc

The 2.18.1-1 upload already made the --allow option mandatory for daemon
mode, thus distccd would refuse to run without an IP access control
list.

Upstream bug https://github.com/distcc/distcc/issues/155
---
 data/CVE/list.2004 | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'data/CVE/list.2004')

diff --git a/data/CVE/list.2004 b/data/CVE/list.2004
index f1acfcb5e1..5a5ef9521c 100644
--- a/data/CVE/list.2004
+++ b/data/CVE/list.2004
@@ -197,6 +197,9 @@ CVE-2004-2688 (Cross-site scripting (XSS) vulnerability in index.php in NewsPHP
 CVE-2004-2687 (distcc 2.x, as used in XCode 1.5 and others, when not configured to ...)
 	- distcc 2.18.1-1 (low)
 	NOTE: since 2.18.1-1 there is the --allow switch to control network access
+	NOTE: https://github.com/distcc/distcc/issues/155
+	NOTE: Fix in depth is only in later version 3.3, cf.
+	NOTE: https://bugs.debian.org/892973
 CVE-2004-2686 (Directory traversal vulnerability in the vfs_getvfssw function in ...)
 	NOT-FOR-US: Solaris
 CVE-2004-2685 (Buffer overflow in YoungZSoft CCProxy 6.2 and earlier allows remote ...)
-- 
cgit v1.2.3