Your message dated Thu, 24 Mar 2016 00:20:58 +0100
with message-id <20160323232058.GA22321@pisco.westfalen.local>
and subject line Re: CVE-2015-5685: remote execution vulnerability in
lazy_bdecode()
has caused the Debian Bug report #797046,
regarding CVE-2015-5685: remote execution vulnerability in lazy_bdecode()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
797046: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797046
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libtorrent-rasterbar
Severity: grave
Tags: security patch
Version: 0.14.10-2
Control: fixed -1 1.0.6-1
Hi,
the following vulnerability was published for libtorrent-rasterbar.
CVE-2015-5685[0]:
| The lazy_bdecode function in BitTorrent DHT bootstrap server
| (bootstrap-dht ) allows remote attackers to execute arbitrary code via
| a crafted packet, related to "improper indexing."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-5685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5685
Please adjust the affected versions in the BTS as needed.
Note while this CVE was reported against BitTorrent DHT Bootstrapt server,
the same vulnerable code is available in libtorrent-rasterbar and the
issues ought to be fixed in all stable releases.
The experimental version is unaffected as upstream applied the security
fix already:
https://github.com/arvidn/libtorrent/commit/d9945f6f50a8c967888cd9c2ebe65ffbe462056e
seems to be (almost) the same as
https://github.com/bittorrent/bootstrap-dht/commit/e809ea80e3527e32c40756eddd8b2ae44bc3af1a
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---
Version: 1.0.6-1
On Thu, Aug 27, 2015 at 12:04:35PM +0200, Raphael Hertzog wrote:
> Source: libtorrent-rasterbar
> Severity: grave
> Tags: security patch
> Version: 0.14.10-2
> Control: fixed -1 1.0.6-1
>
> Hi,
>
> The experimental version is unaffected as upstream applied the security
> fix already:
> https://github.com/arvidn/libtorrent/commit/d9945f6f50a8c967888cd9c2ebe65ffbe462056e
> seems to be (almost) the same as
> https://github.com/bittorrent/bootstrap-dht/commit/e809ea80e3527e32c40756eddd8b2ae44bc3af1a
This was fixed with the 1.0.6 upload, which is now also in testing/sid.
Cheers,
Moritz
--- End Message ---
