Your message dated Thu, 10 Mar 2016 15:07:51 +0100
with message-id <20160310140751.ga24...@lorien.valinor.li>
and subject line Re: Bug#817799: libotr5: Exploitable integer overflow
vulnerability (CVE-2016-2851)
has caused the Debian Bug report #817799,
regarding libotr5: Exploitable integer overflow vulnerability (CVE-2016-2851)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
817799: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817799
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libotr5
Version: 4.1.0-7
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
the libotr versions prior to 4.1.1 contain an integer overflow vulnerability.
This can cause buffer overflow that could lead to code execution. The
vulnerability has been assigned the CVE-2016-2851.
You can find more information here:
https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/
Sincerely,
Michail Bachmann
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (300, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 4.4.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libotr5 depends on:
ii libc6 2.22-2
ii libgcrypt20 1.6.5-2
libotr5 recommends no packages.
Versions of packages libotr5 suggests:
pn libotr5-bin <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libotr
Source-Version: 4.1.1-1
Hi,
On Thu, Mar 10, 2016 at 02:49:20PM +0100, Michail Bachmann wrote:
> Package: libotr5
> Version: 4.1.0-7
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Dear Maintainer,
>
> the libotr versions prior to 4.1.1 contain an integer overflow vulnerability.
> This can cause buffer overflow that could lead to code execution. The
> vulnerability has been assigned the CVE-2016-2851.
>
> You can find more information here:
>
> https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/
Thanks. The fix is already on the way, cf.
https://tracker.debian.org/news/754059 thus fixing the bugreport with
that version.
Regards,
Salvatore
--- End Message ---
