Your message dated Sat, 15 Apr 2017 18:33:46 +0000 with message-id <e1czsw2-00033z...@fasolo.debian.org> and subject line Bug#860287: fixed in libosip2 4.1.0-2.1 has caused the Debian Bug report #860287, regarding libosip2: CVE-2016-10324 CVE-2016-10325 CVE-2016-10326 CVE-2017-7853 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 860287: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860287 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libosip2 Version: 4.1.0-2 Severity: grave Tags: upstream security patch Justification: user security hole Hi, the following vulnerabilities were published for libosip2. CVE-2016-10324[0]: | In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a | heap buffer overflow in the osip_clrncpy() function defined in | osipparser2/osip_port.c. CVE-2016-10325[1]: | In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a | heap buffer overflow in the _osip_message_to_str() function defined in | osipparser2/osip_message_to_str.c, resulting in a remote DoS. CVE-2016-10326[2]: | In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a | heap buffer overflow in the osip_body_to_str() function defined in | osipparser2/osip_body.c, resulting in a remote DoS. CVE-2017-7853[3]: | In libosip2 in GNU oSIP 5.0.0, a malformed SIP message can lead to a | heap buffer overflow in the msg_osip_body_parse() function defined in | osipparser2/osip_message_parse.c, resulting in a remote DoS. The references to the security-tracker contain both respective upstream report and fixing commits. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-10324 [1] https://security-tracker.debian.org/tracker/CVE-2016-10325 [2] https://security-tracker.debian.org/tracker/CVE-2016-10326 [3] https://security-tracker.debian.org/tracker/CVE-2017-7853 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libosip2 Source-Version: 4.1.0-2.1 We believe that the bug you reported is fixed in the latest version of libosip2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 860...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antoine Beaupré <anar...@debian.org> (supplier of updated libosip2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 14 Apr 2017 16:21:21 -0400 Source: libosip2 Binary: libosip2-dev libosip2-11 Architecture: source Version: 4.1.0-2.1 Distribution: unstable Urgency: medium Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> Changed-By: Antoine Beaupré <anar...@debian.org> Description: libosip2-11 - Session Initiation Protocol (SIP) library libosip2-dev - development files for the SIP library Closes: 860287 Changes: libosip2 (4.1.0-2.1) unstable; urgency=medium . * Non-maintainer upload to fix security issues (Closes: #860287) * CVE-2016-10324: In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the osip_clrncpy() function defined in osipparser2/osip_port.c. * CVE-2016-10325: In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the _osip_message_to_str() function defined in osipparser2/osip_message_to_str.c, resulting in a remote DoS. * CVE-2016-10326: In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the osip_body_to_str() function defined in osipparser2/osip_body.c, resulting in a remote DoS. * CVE-2017-7853: In libosip2 in GNU oSIP 5.0.0, a malformed SIP message can lead to a heap buffer overflow in the msg_osip_body_parse() function defined in osipparser2/osip_message_parse.c, resulting in a remote DoS. Checksums-Sha1: 8f7656a6ea32e059227449d4f18492e6cda61b3b 2054 libosip2_4.1.0-2.1.dsc e88639f111a57580d4821f1a90d43d537e90f5a6 7672 libosip2_4.1.0-2.1.debian.tar.xz Checksums-Sha256: 6cedcf2f341489312905b77d6f9a9b32da0d469a0aadc85006d1a13a4744190d 2054 libosip2_4.1.0-2.1.dsc 418d64e2e27483d5fd96d2aae1b600d11778aa08b3064cd9f636c6838aed1cfa 7672 libosip2_4.1.0-2.1.debian.tar.xz Files: 14b018d9d434926255dc25561753ce9f 2054 comm optional libosip2_4.1.0-2.1.dsc 84620b026df025ee710757eaae930a2b 7672 comm optional libosip2_4.1.0-2.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJY8mOLAAoJEHkhUlJ7dZIeEhAP/0O+1+qaeWI48RBlNitgOQ9b iITVdfNnpp/USXFUJXcsxCHppsMZPolCMOUCcQitwkl9nLM88+6EiosoPxf2Dh/L LCpThjnKNCMDKR1Q91l0pIXfcSHFk5Cxi2H8rC2FG8qW9Zn5MCJ/I4gLRSJPfvgx IFg9Us89+mzOytmXX1sZPVXf3flhshjzk57BQowYSzFxzyVI0NdxNMVhec7cTfkz NvbghRY5Wl+0FZ80BTDI7pcS/VnLqpVxZA8cvW3h+feTIj6lLprvsX11lOtY2Bg9 MQOTUhns9gCHk1esrVlBSMbidIDzUpBtx0fKV92UtNoV9DmdJ7PaDuau7oOC7otC P9CJuAqodV9ksE7SKROXK7gDrJdbt5/NJ9bLaAkqFfOmJL6CMR/qrOJSrGrGllfT 9Cw5dBs2d1q3Ge4cxyQ+u830GPe4XhYm4b/Knu1NQ0XpEMnTwIxL832mwf+RmiPx JdOSMceyELLuXUh1hPgL+GLMQACAY69y1x2wxbbylraHD4mjx4mLszPlqgM66roe lD/MRBbQsdjbfCMe0xhMmCufKDap/DlWW8XCC3B+4zwNnNIqiboRahbjSJIn/y/i nP3ZuTCGfb6AuQw7tXBgzxa7rpHY9egY9AgvAkM6exBZN1qYuhBMFgaRL/d4HLG/ w5hiER/cOye3Mm2BOE2t =uHdh -----END PGP SIGNATURE-----
--- End Message ---
