Your message dated Sun, 19 Oct 2014 10:20:43 +0000 with message-id <e1xfnbp-0006aw...@franck.debian.org> and subject line Bug#762789: fixed in ppp 2.4.6-3 has caused the Debian Bug report #762789, regarding ppp: CVE-2014-3158: Integer overflow in option parsing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 762789: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762789 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ppp Severity: grave Tags: security Hi, the following vulnerability was published for ppp. CVE-2014-3158[0]: Potential integer overflow in option parsing This is fixed in this commit https://github.com/paulusmack/ppp/commit/7658e8257183f062dc01f87969c140707c7e52cb and in the 2.4.7 upstream release. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3158 https://security-tracker.debian.org/tracker/CVE-2014-3158 http://marc.info/?l=linux-ppp&m=140764978420764 Please adjust the affected versions in the BTS as needed. Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---Source: ppp Source-Version: 2.4.6-3 We believe that the bug you reported is fixed in the latest version of ppp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 762...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Boot <deb...@bootc.net> (supplier of updated ppp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 19 Oct 2014 10:47:59 +0100 Source: ppp Binary: ppp ppp-udeb ppp-dev Architecture: source amd64 all Version: 2.4.6-3 Distribution: unstable Urgency: high Maintainer: Marco d'Itri <m...@linux.it> Changed-By: Chris Boot <deb...@bootc.net> Description: ppp - Point-to-Point Protocol (PPP) - daemon ppp-dev - Point-to-Point Protocol (PPP) - development files ppp-udeb - Point-to-Point Protocol (PPP) - package for Debian Installer (udeb) Closes: 762789 Changes: ppp (2.4.6-3) unstable; urgency=high . * Urgency high due to fix for CVE-2014-3158. * Cherry-pick patches from 2.4.7 upstream release. These are 9 of 11 patches in the 2.4.7 upstream release of PPP, including the fix for CVE-2014-3158. The two patches left out were not imported in order to preserve ABI stability. (Closes: #762789) - ppp-2.4.7-001-pppd-Separate-IPv6-handling-for-sifup-sifdown.patch - ppp-2.4.7-002-pppol2tp-Connect-up-down-events-to-notifiers-and-add.patch - ppp-2.4.7-003-pppd-Add-declarations-to-eliminate-compile-warnings.patch - ppp-2.4.7-004-pppd-Eliminate-some-unnecessary-ifdefs.patch - ppp-2.4.7-005-radius-Fix-realms-config-file-option.patch - ppp-2.4.7-006-pppd-Eliminate-potential-integer-overflow-in-option-.patch - ppp-2.4.7-007-pppd-Eliminate-memory-leak-with-multiple-instances-o.patch - ppp-2.4.7-008-pppd-Fix-a-stack-variable-overflow-in-MSCHAP-v2.patch - ppp-2.4.7-009-winbind-plugin-Add-DMPPE-1-to-eliminate-compiler-war.patch * Refresh debian/patches/cifdefroute.dif * Update Standards-Version to 3.9.6 (no changes required). Checksums-Sha1: baf7403160be6a3ebe1341811bd1efd36f96e240 2131 ppp_2.4.6-3.dsc fbac3897e7b9c8400cbb03a6716f620528a14f4a 92032 ppp_2.4.6-3.debian.tar.xz a7eba6f5fcf786d2c7479259e1f62c44ee67f323 334980 ppp_2.4.6-3_amd64.deb 50ffc80cec24f4ebb64d55e50ee9389104800f34 119612 ppp-udeb_2.4.6-3_amd64.udeb 5e26a58ede93189fb1d23914e2d0dac83518c6f9 54778 ppp-dev_2.4.6-3_all.deb Checksums-Sha256: 9bf536fad50420c1e0a693c04b1c77aa643e12e0efd46ca5bef7638e2e84b476 2131 ppp_2.4.6-3.dsc 011408b9bc664a1d62737443902f09cb77f26cea8afc2ad71da9b0a0f3624830 92032 ppp_2.4.6-3.debian.tar.xz 9517f6b0f4fbdc4b96906bcc02a9721cd197c4ceab328d0a43ad4c6eafd74ba2 334980 ppp_2.4.6-3_amd64.deb 8de86a778795008466237c46345442f654b30a3c7471989b4e3a1a4801f47fde 119612 ppp-udeb_2.4.6-3_amd64.udeb 78a30cee9119fed805837e6aedbc7dde84bbf023bf1e57f34b92d1bfa713558f 54778 ppp-dev_2.4.6-3_all.deb Files: aa8d57ba3a6758a75bd21e69db7a6655 2131 admin optional ppp_2.4.6-3.dsc f3d4816d88f8404cc474e0c4c029de93 92032 admin optional ppp_2.4.6-3.debian.tar.xz 10729a3b19ddc4f90b0f6450430e08fe 334980 admin optional ppp_2.4.6-3_amd64.deb 306373772ed57846fe3ef5be92b48c1d 119612 debian-installer optional ppp-udeb_2.4.6-3_amd64.udeb 9c351773f972e86f4957f223396d16d4 54778 devel extra ppp-dev_2.4.6-3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQJ8BAEBCgBmBQJUQ48AXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREQThBOTBGNTdGRkIxRDY0N0U0MDM0REE0 MTFBNzMzRTY3RDY0RkZFAAoJEEEacz5n1k/+8gQP/0mQ4BdWvGvrsjbv3mkkPJ+W +JFQcsfaoWDDBKJlB4XHhD8HqGkCgZQTDim28U3G8a9L9GYnkSCO8x6pA8gVAfg0 QR5h6vmJuS1onphB0bsIDIx1r73wJe8eISDkCuDyk4CqzKnO7osWlnb2/35WIEBf 9AEDBCP19TB+kASbiMhneUdna8qYijFAHkQqfPYIWJzwczM8hJJGZNfqQt8V9ux1 VKaGPigjmb1CiyDaCoiucdw9FLabDH+fyX3ZvaxljmWCK7p4EgKbeTEKnKwp6xD3 VYrL713i+HnotmOlTfHJN/mEidr0m8O/ZjWIiV8c5W5VXED5p/T34zJXeepEk2D+ ctEC9AkLBDg3TVVklvk0af4Iq4Zue2myremGvvMDPqZcXDR+xDIZ1U1S4w4F7EGz trT8xijaRmcLNiewDNWubp1eMu+ukri4zk1gHzcS7nFPdh/qkfIv5T+hJ8QeEuUS 8dIdUvP/KYbYy5htgqO8Dvn3h3SSQpnr4/I6UWMgRs3hE4eSLz1RpIhlxfbLVmyW XjS5uX6TcCc6gFAJbY8P0SoKSJLURo0Vl8SiVAWnerN4u/FqZQFE7zvSOBBIO5pG SA/YO+//TVJmSH+jeJCv7u3h65XFJpHGXWMBISgKEBHGNoZ6yhkMpUBUVX5Ffhb5 fD5hvp8mN+WNkqldCLf8 =puSH -----END PGP SIGNATURE-----
--- End Message ---
