Your message dated Thu, 27 Sep 2007 12:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#444002: fixed in dibbler 0.6.1-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: dibbler
Severity: grave
Tags: security
Justification: user security hole
Hi
There are three CVEs issued for dibbler.
CVE-2007-5028:
Dibbler 0.6.0 on Linux uses weak world-writable permissions for
unspecified files in /var/lib/dibbler, which has unknown impact and
local attack vectors.
CVE-2007-5029:
Dibbler 0.6.0 does not verify that certain length parameters are
appropriate for buffer sizes, which allows remote attackers to trigger a
buffer over-read and cause a denial of service (daemon crash), as
demonstrated by incorrect behavior of the TSrvMsg constructor in
SrvMessages/SrvMsg.cpp when (1) reading the option code and option
length and (2) parsing options.
CVE-2007-5030:
Multiple integer overflows in Dibbler 0.6.0 allow remote attackers to
cause a denial of service (daemon crash) via packets containing options
with large lengths, which trigger attempts at excessive memory
allocation, as demonstrated by (1) the TSrvMsg constructor in
SrvMessages/SrvMsg.cpp; the (2) TClntMsg, (3) TClntOptIAAddress, (4)
TClntOptIAPrefix, (5) TOptVendorSpecInfo, and (6) TOptOptionRequest
constructors; and the (7) TRelIfaceMgr::decodeRelayRepl, (8)
TRelMsg::decodeOpts, and (9) TSrvIfaceMgr::decodeRelayForw methods.
There might be some other fixes in the new 0.6.1 version, according to
the upstream CHANGELOG. I am still looking at the source code to
separate them. Could you please consider packaging the new upstream
version to fix these issues and please mention the CVE numbers in the
changelog.
Thanks for your efforts
Cheers
Steffen
--- End Message ---
--- Begin Message ---
Source: dibbler
Source-Version: 0.6.1-1
We believe that the bug you reported is fixed in the latest version of
dibbler, which is due to be installed in the Debian FTP archive:
dibbler-client_0.6.1-1_i386.deb
to pool/main/d/dibbler/dibbler-client_0.6.1-1_i386.deb
dibbler-doc_0.6.1-1_all.deb
to pool/main/d/dibbler/dibbler-doc_0.6.1-1_all.deb
dibbler-relay_0.6.1-1_i386.deb
to pool/main/d/dibbler/dibbler-relay_0.6.1-1_i386.deb
dibbler-server_0.6.1-1_i386.deb
to pool/main/d/dibbler/dibbler-server_0.6.1-1_i386.deb
dibbler_0.6.1-1.diff.gz
to pool/main/d/dibbler/dibbler_0.6.1-1.diff.gz
dibbler_0.6.1-1.dsc
to pool/main/d/dibbler/dibbler_0.6.1-1.dsc
dibbler_0.6.1.orig.tar.gz
to pool/main/d/dibbler/dibbler_0.6.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tomasz Mrugalski <[EMAIL PROTECTED]> (supplier of updated dibbler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 26 Sep 2007 22:45:33 +0200
Source: dibbler
Binary: dibbler-doc dibbler-relay dibbler-server dibbler-client
Architecture: source all i386
Version: 0.6.1-1
Distribution: unstable
Urgency: low
Maintainer: Tomasz Mrugalski <[EMAIL PROTECTED]>
Changed-By: Tomasz Mrugalski <[EMAIL PROTECTED]>
Description:
dibbler-client - portable DHCPv6 client
dibbler-doc - documentation for Dibbler
dibbler-relay - portable DHCPv6 relay
dibbler-server - portable DHCPv6 server
Closes: 417156 444002
Changes:
dibbler (0.6.1-1) unstable; urgency=low
.
* New upstream release
* security fix:CVE-2007-5028, CVE-2007-5029,CVE-2007-5028 (closes: #444002)
* gcc 4.3 compatibility (closes: #417156)
Files:
3be34b39dd9cc0573c65b213d7190975 684 admin optional dibbler_0.6.1-1.dsc
220e68795ab0375cb3bc1f40c47e0bb2 3526327 admin optional
dibbler_0.6.1.orig.tar.gz
dbf75fcb48bcb55f33200105a9ec9b35 17134 admin optional dibbler_0.6.1-1.diff.gz
e6db4587b5c8c8d0826b45ff3ccf1704 364288 admin optional
dibbler-server_0.6.1-1_i386.deb
89c4860543079b4a13503309201d6e28 346724 admin optional
dibbler-client_0.6.1-1_i386.deb
aab792aaf154c122910a9be0e766026b 110112 admin optional
dibbler-relay_0.6.1-1_i386.deb
5c669bdd3bae6debfae4c9bdb35c680a 1168076 doc optional
dibbler-doc_0.6.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG+6S162zWxYk/rQcRAlUlAJ99qox879ALoCG25V6dAg/cKfkLUgCfe1JV
OHm1kUNsb/M2pewcIllxdyI=
=T029
-----END PGP SIGNATURE-----
--- End Message ---
